CVE-2025-38593
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38593
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38593.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38593
- Downstream
- Published
- 2025-08-19T17:15:37Z
- Modified
- 2025-09-06T13:01:48Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hcisync: fix double free in 'hcidiscoveryfilterclear()'
Function 'hcidiscoveryfilter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race:
'hcicmdsync_work()'
'updatepassivescan_sync()'
'hciupdatepassivescansync()'
'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_filter_clear()' kfree(uuids); // DOUBLE FREE <-------------------------preempted--------------------------------> uuids = NULL;To fix it let's add locking around 'kfree()' call and NULL pointer assignment. Otherwise the following backtrace fires:
[ ] ------------[ cut here ]------------ [ ] kernel BUG at mm/slub.c:547! [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 [ ] Tainted: [O]=OOTMODULE [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ ] pc : _slabfree+0xf8/0x348 [ ] lr : _slabfree+0x48/0x348 ... [ ] Call trace: [ ] _slabfree+0xf8/0x348 [ ] kfree+0x164/0x27c [ ] startservicediscovery+0x1d0/0x2c0 [ ] hcisocksendmsg+0x518/0x924 [ ] _socksendmsg+0x54/0x60 [ ] sockwriteiter+0x98/0xf8 [ ] doiterreadvwritev+0xe4/0x1c8 [ ] vfswritev+0x128/0x2b0 [ ] dowritev+0xfc/0x118 [ ] _arm64syswritev+0x20/0x2c [ ] invokesyscall+0x68/0xf0 [ ] el0svccommon.constprop.0+0x40/0xe0 [ ] doel0svc+0x1c/0x28 [ ] el0svc+0x30/0xd0 [ ] el0t64synchandler+0x100/0x12c [ ] el0t64sync+0x194/0x198 [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) [ ] ---[ end trace 0000000000000000 ]---
- References