DEBIAN-CVE-2023-53762
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-53762
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53762.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-53762
- Upstream
- Published
- 2025-12-08T02:15:52.043Z
- Modified
- 2025-12-08T10:16:27.828353Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Fix UAF in hcidisconnectallsync Use-after-free can occur in hcidisconnectallsync if a connection is deleted by concurrent processing of a controller event. To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hciabortconnsync is guaranteed to call hciconndel. UAF crash log: ================================================================== BUG: KASAN: slab-use-after-free in hcisetpoweredsync (net/bluetooth/hcisync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124 CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hcicmdsyncwork [bluetooth] Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? _virtaddrvalid+0xdd/0x160 ? hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] kasanreport+0xa6/0xe0 ? hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? _pfxsetpoweredsync+0x10/0x10 [bluetooth] hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? _pfxhcisetpoweredsync+0x10/0x10 [bluetooth] ? _pfxlockrelease+0x10/0x10 ? _pfxsetpoweredsync+0x10/0x10 [bluetooth] hcicmdsyncwork+0x137/0x220 [bluetooth] processonework+0x526/0x9d0 ? _pfxprocessonework+0x10/0x10 ? _pfxdorawspinlock+0x10/0x10 ? markheldlocks+0x1a/0x90 workerthread+0x92/0x630 ? _pfxworkerthread+0x10/0x10 kthread+0x196/0x1e0 ? _pfxkthread+0x10/0x10 retfromfork+0x2c/0x50 </TASK> Allocated by task 1782: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 _kasankmalloc+0x8f/0xa0 hciconnadd+0xa5/0xa80 [bluetooth] hcibindcis+0x881/0x9b0 [bluetooth] isoconnectcis+0x121/0x520 [bluetooth] isosockconnect+0x3f6/0x790 [bluetooth] _sysconnect+0x109/0x130 _x64sysconnect+0x40/0x50 dosyscall64+0x60/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8 Freed by task 695: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 kasansavefreeinfo+0x2b/0x50 _kasanslabfree+0x10a/0x180 _kmemcachefree+0x14d/0x2e0 devicerelease+0x5d/0xf0 kobjectput+0xdf/0x270 hcidisconncompleteevt+0x274/0x3a0 [bluetooth] hcieventpacket+0x579/0x7e0 [bluetooth] hcirxwork+0x287/0xaa0 [bluetooth] processonework+0x526/0x9d0 workerthread+0x92/0x630 kthread+0x196/0x1e0 retfrom_fork+0x2c/0x50 ==================================================================
- References
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source