CVE-2023-53046
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-53046
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53046.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53046
- Downstream
- Related
- Published
- 2025-05-02T15:55:03Z
- Modified
- 2025-10-14T09:08:56.649610Z
- Summary
- Bluetooth: Fix race condition in hci_cmd_sync_clear
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix race condition in hcicmdsync_clear
There is a potential race condition in hcicmdsyncwork and hcicmdsyncclear, and could lead to use-after-free. For instance, hcicmdsyncwork is added to the 'reqworkqueue' after cancelworksync The entry of 'cmdsyncworklist' may be freed in hcicmdsyncclear, and causing kernel panic when it is used in 'hcicmdsync_work'.
Here's the call trace:
dumpstacklvl+0x49/0x63 printreport.cold+0x5e/0x5d3 ? hcicmdsyncwork+0x282/0x320 kasanreport+0xaa/0x120 ? hcicmdsyncwork+0x282/0x320 _asanreportload8noabort+0x14/0x20 hcicmdsyncwork+0x282/0x320 processonework+0x77b/0x11c0 ? _rawspinlockirq+0x8e/0xf0 workerthread+0x544/0x1180 ? pollidle+0x1e0/0x1e0 kthread+0x285/0x320 ? processonework+0x11c0/0x11c0 ? kthreadcompleteandexit+0x30/0x30 retfrom_fork+0x22/0x30 </TASK>
Allocated by task 266: kasansavestack+0x26/0x50 _kasankmalloc+0xae/0xe0 kmemcachealloctrace+0x191/0x350 hcicmdsyncqueue+0x97/0x2b0 hciupdatepassivescan+0x176/0x1d0 leconncompleteevt+0x1b5/0x1a00 hcileconncompleteevt+0x234/0x340 hcilemetaevt+0x231/0x4e0 hcieventpacket+0x4c5/0xf00 hcirxwork+0x37d/0x880 processonework+0x77b/0x11c0 workerthread+0x544/0x1180 kthread+0x285/0x320 retfromfork+0x22/0x30
Freed by task 269: kasansavestack+0x26/0x50 kasansettrack+0x25/0x40 kasansetfreeinfo+0x24/0x40 kasanslabfree+0x176/0x1c0 _kasanslabfree+0x12/0x20 slabfreefreelisthook+0x95/0x1a0 kfree+0xba/0x2f0 hcicmdsyncclear+0x14c/0x210 hciunregisterdev+0xff/0x440 vhcirelease+0x7b/0xf0 _fput+0x1f3/0x970 fput+0xe/0x20 taskworkrun+0xd4/0x160 doexit+0x8b0/0x22a0 dogroupexit+0xba/0x2a0 getsignal+0x1e4a/0x25b0 archdosignalorrestart+0x93/0x1f80 exittousermodeprepare+0xf5/0x1a0 syscallexittousermode+0x26/0x50 retfromfork+0x15/0x30
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6a98e3836fa2077b169f10a35c2ca9952d53f987Fixed608901a77c945ac15dea23f6098c9882ef19d9f0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6a98e3836fa2077b169f10a35c2ca9952d53f987Fixedbe586211a3ab40a4f4ca60450e0d31606afc55ec
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6a98e3836fa2077b169f10a35c2ca9952d53f987Fixed1c66bee492a5fe00ae3fe890bb693bfc99f994c6
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "hci_cmd_sync_clear"
},
"id": "CVE-2023-53046-694c60e0",
"digest": {
"length": 349.0,
"function_hash": "173380357038334562750108536634516528325"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be586211a3ab40a4f4ca60450e0d31606afc55ec",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "hci_cmd_sync_clear"
},
"id": "CVE-2023-53046-7afcd9ad",
"digest": {
"length": 349.0,
"function_hash": "173380357038334562750108536634516528325"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1c66bee492a5fe00ae3fe890bb693bfc99f994c6",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2023-53046-81790950",
"digest": {
"threshold": 0.9,
"line_hashes": [
"175019492376611449675075486276114993993",
"122453303293480490511791038190974629321",
"314416607539284292529988246280311262358",
"184409404569345689771690544507478388142",
"36269594970507483813703611910581142301",
"325495329103730460454664433431531179290",
"179312770321240180851206067588701425122"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be586211a3ab40a4f4ca60450e0d31606afc55ec",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2023-53046-8cf8fd76",
"digest": {
"threshold": 0.9,
"line_hashes": [
"175019492376611449675075486276114993993",
"122453303293480490511791038190974629321",
"314416607539284292529988246280311262358",
"184409404569345689771690544507478388142",
"36269594970507483813703611910581142301",
"325495329103730460454664433431531179290",
"179312770321240180851206067588701425122"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@608901a77c945ac15dea23f6098c9882ef19d9f0",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2023-53046-e1f44cd7",
"digest": {
"threshold": 0.9,
"line_hashes": [
"175019492376611449675075486276114993993",
"122453303293480490511791038190974629321",
"314416607539284292529988246280311262358",
"184409404569345689771690544507478388142",
"36269594970507483813703611910581142301",
"325495329103730460454664433431531179290",
"179312770321240180851206067588701425122"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1c66bee492a5fe00ae3fe890bb693bfc99f994c6",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "hci_cmd_sync_clear"
},
"id": "CVE-2023-53046-f3e42da0",
"digest": {
"length": 349.0,
"function_hash": "173380357038334562750108536634516528325"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@608901a77c945ac15dea23f6098c9882ef19d9f0",
"signature_version": "v1"
}
]
}