Products
Linux kernel
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Tags
CVE-2023-52830 details
Last Modified : May 21, 2024, 4:53 p.m.
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix double free in hci_conn_cleanup syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow: hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name) hci_dev_put: ... kfree(name) hci_conn_put: put_device ... kfree(name) This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function. This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures. This fixes CVE-2023-28464.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
References
URL | Source |
---|---|
https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |