CVE-2022-49908
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49908
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49908.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49908
- Downstream
- Related
- Published
- 2025-05-01T14:10:51Z
- Modified
- 2025-10-16T01:52:44.661178Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Bluetooth: L2CAP: Fix memory leak in vhci_write
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix memory leak in vhci_write
Syzkaller reports a memory leak as follows:
BUG: memory leak unreferenced object 0xffff88810d81ac00 (size 240): [...] hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff838733d9>] _allocskb+0x1f9/0x270 net/core/skbuff.c:418 [<ffffffff833f742f>] allocskb include/linux/skbuff.h:1257 [inline] [<ffffffff833f742f>] btskballoc include/net/bluetooth/bluetooth.h:469 [inline] [<ffffffff833f742f>] vhcigetuser drivers/bluetooth/hcivhci.c:391 [inline] [<ffffffff833f742f>] vhciwrite+0x5f/0x230 drivers/bluetooth/hcivhci.c:511 [<ffffffff815e398d>] callwriteiter include/linux/fs.h:2192 [inline] [<ffffffff815e398d>] newsyncwrite fs/readwrite.c:491 [inline] [<ffffffff815e398d>] vfswrite+0x42d/0x540 fs/readwrite.c:578 [<ffffffff815e3cdd>] ksyswrite+0x9d/0x160 fs/readwrite.c:631 [<ffffffff845e0645>] dosyscallx64 arch/x86/entry/common.c:50 [inline] [<ffffffff845e0645>] dosyscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600087>] entrySYSCALL64afterhwframe+0x63/0xcd
HCI core will uses hcirxwork() to process frame, which is queued to the hdev->rxq tail in hcirecv_frame() by HCI driver.
Yet the problem is that, HCI core may not free the skb after handling ACL data packets. To be more specific, when start fragment does not contain the L2CAP length, HCI core just copies skb into conn->rxskb and finishes frame process in l2caprecv_acldata(), without freeing the skb, which triggers the above memory leak.
This patch solves it by releasing the relative skb, after processing the above case in l2caprecvacldata().
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4d7ea8ee90e42fc75995f6fb24032d3233314528Fixedaa16cac06b752e5f609c106735bd7838f444784c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4d7ea8ee90e42fc75995f6fb24032d3233314528Fixed5b4f039a2f487c5edae681d763fe1af505f84c13
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4d7ea8ee90e42fc75995f6fb24032d3233314528Fixed7c9524d929648935bac2bbb4c20437df8f9c3f42