CVE-2022-49909

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: fix use-after-free in l2capconndel()

When l2caprecvframe() is invoked to receive data, and the cid is L2CAPCIDA2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In this case, the value of channel reference counting is 1. As a result, after hcierrorreset() is triggered, l2capconndel() invokes the close hook function of A2MP to release the channel. Then l2capchanunlock(chan) will trigger UAF issue.

The process is as follows: Receive data: l2capdatachannel() a2mpchannelcreate() --->channel ref is 2 l2capchanput() --->channel ref is 1

Triger event: hcierrorreset() hcidevdoclose() ... l2capdisconncfm() l2capconndel() l2capchanhold() --->channel ref is 2 l2capchandel() --->channel ref is 1 a2mpchanclosecb() --->channel ref is 0, release channel l2capchanunlock() --->UAF of channel

The detailed Call Trace is as follows: BUG: KASAN: use-after-free in __mutexunlockslowpath+0xa6/0x5e0 Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 Workqueue: hci0 hcierrorreset Call Trace: <TASK> dumpstacklvl+0xcd/0x134 printreport.cold+0x2ba/0x719 kasanreport+0xb1/0x1e0 kasancheckrange+0x140/0x190 __mutexunlockslowpath+0xa6/0x5e0 l2capconndel+0x404/0x7b0 l2capdisconncfm+0x8c/0xc0 hciconnhashflush+0x11f/0x260 hcidevclosesync+0x5f5/0x11f0 hcidevdoclose+0x2d/0x70 hcierrorreset+0x9e/0x140 processonework+0x98a/0x1620 workerthread+0x665/0x1080 kthread+0x2e4/0x3a0 retfromfork+0x1f/0x30 </TASK>

Allocated by task 7593: kasansavestack+0x1e/0x40 __kasankmalloc+0xa9/0xd0 l2capchancreate+0x40/0x930 ampmgrcreate+0x96/0x990 a2mpchannelcreate+0x7d/0x150 l2caprecvframe+0x51b8/0x9a70 l2caprecvacldata+0xaa3/0xc00 hcirxwork+0x702/0x1220 processonework+0x98a/0x1620 workerthread+0x665/0x1080 kthread+0x2e4/0x3a0 retfromfork+0x1f/0x30

Freed by task 7593: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansetfree_info+0x20/0x30 ___kasanslabfree+0x167/0x1c0 slabfreefreelisthook+0x89/0x1c0 kfree+0xe2/0x580 l2capchanput+0x22a/0x2d0 l2capconndel+0x3fc/0x7b0 l2capdisconncfm+0x8c/0xc0 hciconnhashflush+0x11f/0x260 hcidevclosesync+0x5f5/0x11f0 hcidevdoclose+0x2d/0x70 hcierrorreset+0x9e/0x140 processonework+0x98a/0x1620 workerthread+0x665/0x1080 kthread+0x2e4/0x3a0 retfromfork+0x1f/0x30

Last potentially related work creation: kasansavestack+0x1e/0x40 __kasanrecordaux_stack+0xbe/0xd0 callrcu+0x99/0x740 netlinkrelease+0xe6a/0x1cf0 __sockrelease+0xcd/0x280 sockclose+0x18/0x20 __fput+0x27c/0xa90 taskworkrun+0xdd/0x1a0 exittousermodeprepare+0x23c/0x250 syscallexittousermode+0x19/0x50 dosyscall64+0x42/0x80 entrySYSCALL64afterhwframe+0x63/0xcd

Second to last potentially related work creation: kasansavestack+0x1e/0x40 __kasanrecordaux_stack+0xbe/0xd0 callrcu+0x99/0x740 netlinkrelease+0xe6a/0x1cf0 __sockrelease+0xcd/0x280 sockclose+0x18/0x20 __fput+0x27c/0xa90 taskworkrun+0xdd/0x1a0 exittousermodeprepare+0x23c/0x250 syscallexittousermode+0x19/0x50 dosyscall64+0x42/0x80 entrySYSCALL64afterhwframe+0x63/0xcd