CVE-2024-27398

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27398
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27398.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-27398
Downstream
Related
Published
2024-05-13T10:22:26.624Z
Modified
2025-11-28T02:34:30.206232Z
Summary
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use-after-free bugs caused by scosocktimeout

When the sco connection is established and then, the sco socket is releasing, timeoutwork will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in scosock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below:

Cleanup Thread               |      Worker Thread

scosockrelease | scosockclose | _scosockclose | scosocksettimer | scheduledelayedwork | scosockkill | (wait a time) sockput(sk) //FREE | scosocktimeout | sockhold(sk) //USE

The KASAN report triggered by POC is shown below:

[ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in scosocktimeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events scosocktimeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dumpstacklvl+0x45/0x110 [ 95.890755] printaddressdescription+0x78/0x390 [ 95.890755] printreport+0x11b/0x250 [ 95.890755] ? _virtaddrvalid+0xbe/0xf0 [ 95.890755] ? scosocktimeout+0x5e/0x1c0 [ 95.890755] kasanreport+0x139/0x170 [ 95.890755] ? updateloadavg+0xe5/0x9f0 [ 95.890755] ? scosocktimeout+0x5e/0x1c0 [ 95.890755] kasancheckrange+0x2c3/0x2e0 [ 95.890755] scosocktimeout+0x5e/0x1c0 [ 95.890755] processonework+0x561/0xc50 [ 95.890755] workerthread+0xab2/0x13c0 [ 95.890755] ? prcontwork+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? prcontwork+0x490/0x490 [ 95.890755] ? kthreadblkcg+0xa0/0xa0 [ 95.890755] retfromfork+0x34/0x60 [ 95.890755] ? kthreadblkcg+0xa0/0xa0 [ 95.890755] retfromforkasm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasansavetrack+0x3f/0x70 [ 95.890755] _kasankmalloc+0x86/0x90 [ 95.890755] _kmalloc+0x17f/0x360 [ 95.890755] skprotalloc+0xe1/0x1a0 [ 95.890755] skalloc+0x31/0x4e0 [ 95.890755] btsockalloc+0x2b/0x2a0 [ 95.890755] scosockcreate+0xad/0x320 [ 95.890755] btsockcreate+0x145/0x320 [ 95.890755] _sockcreate+0x2e1/0x650 [ 95.890755] _syssocket+0xd0/0x280 [ 95.890755] _x64syssocket+0x75/0x80 [ 95.890755] dosyscall64+0xc4/0x1b0 [ 95.890755] entrySYSCALL64afterhwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasansavetrack+0x3f/0x70 [ 95.890755] kasansavefreeinfo+0x40/0x50 [ 95.890755] poisonslabobject+0x118/0x180 [ 95.890755] _kasanslabfree+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] _skdestruct+0x317/0x410 [ 95.890755] scosockrelease+0x232/0x280 [ 95.890755] sockclose+0xb2/0x210 [ 95.890755] _fput+0x37f/0x770 [ 95.890755] taskworkrun+0x1ae/0x210 [ 95.890755] getsignal+0xe17/0xf70 [ 95.890755] archdosignalorrestart+0x3f/0x520 [ 95.890755] syscallexittousermode+0x55/0x120 [ 95.890755] dosyscall64+0xd1/0x1b0 [ 95.890755] entrySYSCALL64afterhwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 [ 95.890755] ano ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/27xxx/CVE-2024-27398.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
48669c81a65628ef234cbdd91b9395952c7c27fe
Fixed
1b33d55fb7355e27f8c82cd4ecd560f162469249
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
37d7ae2b0578f2373674a755402ee722e96edc08
Fixed
3212afd00e3cda790fd0583cb3eaef8f9575a014
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a1073aad497d0d071a71f61b721966a176d50c08
Fixed
33a6e92161a78c1073d90e27abe28d746feb0a53
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ba316be1b6a00db7126ed9a39f9bee434a508043
Fixed
6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
Fixed
bfab2c1f7940a232cd519e82fff137e308abfd93
Fixed
012363cb1bec5f33a7b94629ab2c1086f30280f2
Fixed
50c2037fc28df870ef29d9728c770c8955d32178
Fixed
483bc08181827fc475643272ffb69c533007e546
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
fea63ccd928c01573306983346588b26cffb5572
Last affected
ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134
Last affected
b657bba82ff6a007d84fd076bd73b11131726a2b

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.314
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.276
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.217
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.159
Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.1.91
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.6.31
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.8.10