CVE-2024-58013
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-58013
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-58013.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-58013
- Downstream
- Related
- Published
- 2025-02-27T02:12:06.735Z
- Modified
- 2025-11-20T08:22:13.385878Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix slab-use-after-free Read in mgmtremoveadvmonitorsync
This fixes the following crash:
================================================================== BUG: KASAN: slab-use-after-free in mgmtremoveadvmonitorsync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961
CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 mgmtremoveadvmonitorsync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hcicmdsyncwork+0x22b/0x400 net/bluetooth/hcisync.c:332 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xa63/0x1850 kernel/workqueue.c:3310 workerthread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>
Allocated by task 16026: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x243/0x390 mm/slub.c:4314 kmallocnoprof include/linux/slab.h:901 [inline] kzallocnoprof include/linux/slab.h:1037 [inline] mgmtpendingnew+0x65/0x250 net/bluetooth/mgmtutil.c:269 mgmtpendingadd+0x36/0x120 net/bluetooth/mgmtutil.c:296 removeadvmonitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hcimgmtcmd+0xc47/0x11d0 net/bluetooth/hcisock.c:1712 hcisocksendmsg+0x7b8/0x11c0 net/bluetooth/hcisock.c:1832 socksendmsgnosec net/socket.c:711 [inline] _socksendmsg+0x221/0x270 net/socket.c:726 sockwriteiter+0x2d7/0x3f0 net/socket.c:1147 newsyncwrite fs/readwrite.c:586 [inline] vfswrite+0xaeb/0xd30 fs/readwrite.c:679 ksyswrite+0x18f/0x2b0 fs/readwrite.c:731 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f
Freed by task 16022: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:582 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x59/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2338 [inline] slabfree mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmtpendingforeach+0xd1/0x130 net/bluetooth/mgmtutil.c:259 _mgmtpoweroff+0x183/0x430 net/bluetooth/mgmt.c:9550 hcidevclosesync+0x6c4/0x11c0 net/bluetooth/hcisync.c:5208 hcidevdoclose net/bluetooth/hcicore.c:483 [inline] hcidevclose+0x112/0x210 net/bluetooth/hcicore.c:508 sockdoioctl+0x158/0x460 net/socket.c:1209 sockioctl+0x626/0x8e0 net/socket.c:1328 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:906 [inline] _sesysioctl+0xf5/0x170 fs/ioctl.c:892 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68
- https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06
- https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405
- https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827
- https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211cFixed75e65b983c5e2ee51962bfada98a79d805f28827
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211cFixed4ebbcb9bc794e5be647ee28fdf14eb1ae0659405
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211cFixedebb90f23f0ac21044aacf4c61cc5d7841fe99987
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211cFixed0f3d05aacbfcf3584bbd9caaee34cb02508dab68
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211cFixed26fbd3494a7dd26269cb0817c289267dbcfdec06
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 234.0,
"function_hash": "188951250416397621075875025256401914163"
},
"id": "CVE-2024-58013-2e7483b7",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75e65b983c5e2ee51962bfada98a79d805f28827",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_sync"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"66349048599432437731463015946326339105",
"234297485614062052957251517179506190263",
"303395333723063929358545007011193744584",
"313870576064100848146687528185195845546",
"184333954291961376232733270698953007504",
"252685156808170991245494068186715799128",
"208722135231890593908715995775512448019",
"197037238485520398944330197264546739492",
"288826249208553250723177425767114319874"
]
},
"id": "CVE-2024-58013-61b3819d",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75e65b983c5e2ee51962bfada98a79d805f28827",
"target": {
"file": "net/bluetooth/mgmt.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"66349048599432437731463015946326339105",
"234297485614062052957251517179506190263",
"303395333723063929358545007011193744584",
"313870576064100848146687528185195845546",
"184333954291961376232733270698953007504",
"252685156808170991245494068186715799128",
"208722135231890593908715995775512448019",
"197037238485520398944330197264546739492",
"288826249208553250723177425767114319874"
]
},
"id": "CVE-2024-58013-63b98693",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
"target": {
"file": "net/bluetooth/mgmt.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 234.0,
"function_hash": "188951250416397621075875025256401914163"
},
"id": "CVE-2024-58013-6a875633",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@26fbd3494a7dd26269cb0817c289267dbcfdec06",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_sync"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 234.0,
"function_hash": "188951250416397621075875025256401914163"
},
"id": "CVE-2024-58013-706420f8",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_sync"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 234.0,
"function_hash": "188951250416397621075875025256401914163"
},
"id": "CVE-2024-58013-892c9abb",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_sync"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"66349048599432437731463015946326339105",
"234297485614062052957251517179506190263",
"303395333723063929358545007011193744584",
"313870576064100848146687528185195845546",
"184333954291961376232733270698953007504",
"252685156808170991245494068186715799128",
"208722135231890593908715995775512448019",
"197037238485520398944330197264546739492",
"288826249208553250723177425767114319874"
]
},
"id": "CVE-2024-58013-911500b0",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@26fbd3494a7dd26269cb0817c289267dbcfdec06",
"target": {
"file": "net/bluetooth/mgmt.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"66349048599432437731463015946326339105",
"234297485614062052957251517179506190263",
"303395333723063929358545007011193744584",
"313870576064100848146687528185195845546",
"184333954291961376232733270698953007504",
"252685156808170991245494068186715799128",
"208722135231890593908715995775512448019",
"197037238485520398944330197264546739492",
"288826249208553250723177425767114319874"
]
},
"id": "CVE-2024-58013-a3bfeb26",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
"target": {
"file": "net/bluetooth/mgmt.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 476.0,
"function_hash": "287418866637327495465328735298454615975"
},
"id": "CVE-2024-58013-e377a922",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_complete"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 476.0,
"function_hash": "287418866637327495465328735298454615975"
},
"id": "CVE-2024-58013-eb4b2586",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75e65b983c5e2ee51962bfada98a79d805f28827",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_complete"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 476.0,
"function_hash": "287418866637327495465328735298454615975"
},
"id": "CVE-2024-58013-edaf97aa",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@26fbd3494a7dd26269cb0817c289267dbcfdec06",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_complete"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 476.0,
"function_hash": "287418866637327495465328735298454615975"
},
"id": "CVE-2024-58013-ff4bc884",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_remove_adv_monitor_complete"
}
}
]