In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: msft: fix slab-use-after-free in msftdoclose()
Tying the msft->data lifetime to hdev by freeing it in hcireleasedev() to fix the following case:
[use] msftdoclose() msft = hdev->msftdata; if (!msft) ...(1) <- passed. return; mutexlock(&msft->filter_lock); ...(4) <- used after freed.
[free] msftunregister() msft = hdev->msftdata; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed.
================================================================== BUG: KASAN: slab-use-after-free in _mutexlockcommon kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in _mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309
{ "vanir_signatures": [ { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10f9f426ac6e752c8d87bf4346930ba347aaabac", "id": "CVE-2024-36012-265aa326", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.h" }, "digest": { "line_hashes": [ "58201810766092712687339127725190941866", "52103917349944103567396309943395377420", "159893875028101944666443484688761424665", "325074168763523613496819355005067471070", "43838378994636600387991749598279123319", "135085599486357976193159128931183026237", "121464705248442300091444783300236795221", "145481378011210612917231902649510485254" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f1de02de07748da80a8178879bc7a1df37fdf56", "id": "CVE-2024-36012-2884abe5", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_release_dev" }, "digest": { "length": 862.0, "function_hash": "135912600833801198942355053264361396103" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a85a60e62355e3bf4802dead7938966824b23940", "id": "CVE-2024-36012-2f856f85", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.h" }, "digest": { "line_hashes": [ "58201810766092712687339127725190941866", "52103917349944103567396309943395377420", "159893875028101944666443484688761424665", "325074168763523613496819355005067471070", "43838378994636600387991749598279123319", "135085599486357976193159128931183026237", "121464705248442300091444783300236795221", "145481378011210612917231902649510485254" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f1de02de07748da80a8178879bc7a1df37fdf56", "id": "CVE-2024-36012-3257f7e3", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.h" }, "digest": { "line_hashes": [ "58201810766092712687339127725190941866", "52103917349944103567396309943395377420", "159893875028101944666443484688761424665", "325074168763523613496819355005067471070", "43838378994636600387991749598279123319", "135085599486357976193159128931183026237", "121464705248442300091444783300236795221", "145481378011210612917231902649510485254" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "id": "CVE-2024-36012-3b39f8ec", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.h" }, "digest": { "line_hashes": [ "58201810766092712687339127725190941866", "52103917349944103567396309943395377420", "159893875028101944666443484688761424665", "325074168763523613496819355005067471070", "43838378994636600387991749598279123319", "135085599486357976193159128931183026237", "121464705248442300091444783300236795221", "145481378011210612917231902649510485254" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a85a60e62355e3bf4802dead7938966824b23940", "id": "CVE-2024-36012-5559857c", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_release_dev" }, "digest": { "length": 862.0, "function_hash": "135912600833801198942355053264361396103" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "id": "CVE-2024-36012-6258e78d", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.c" }, "digest": { "line_hashes": [ "159477571826385369233176189697694130705", "333496844789084007782931322231623261405", "89575239541949298068811464250348693423", "224474311955867190236523064269106145390" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f1de02de07748da80a8178879bc7a1df37fdf56", "id": "CVE-2024-36012-76f85918", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.c" }, "digest": { "line_hashes": [ "203908432295865204035122287181287257224", "12235198904194424539696263679649864427", "89575239541949298068811464250348693423", "224474311955867190236523064269106145390" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "id": "CVE-2024-36012-7f2c7fdf", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c" }, "digest": { "line_hashes": [ "179942895225224323946180564995499168927", "176077515940290233737758140202816886651", "2308314712876963186446355187900444927", "50149002769606144210205140767319134792", "309227545352447836501596266066334131567", "312808366268361158156237011164815619881", "134782048966762469611624733354100618815", "250890097541430457178371185644564654212" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "id": "CVE-2024-36012-89eba175", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_release_dev" }, "digest": { "length": 819.0, "function_hash": "326971543745352634812335942124994130996" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a85a60e62355e3bf4802dead7938966824b23940", "id": "CVE-2024-36012-8b415361", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c" }, "digest": { "line_hashes": [ "179942895225224323946180564995499168927", "176077515940290233737758140202816886651", "2308314712876963186446355187900444927", "50149002769606144210205140767319134792", "309227545352447836501596266066334131567", "312808366268361158156237011164815619881", "55336451688995268822882260656670784664", "109513351200334452222026534095539331706" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10f9f426ac6e752c8d87bf4346930ba347aaabac", "id": "CVE-2024-36012-8cfa2c77", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_release_dev" }, "digest": { "length": 862.0, "function_hash": "135912600833801198942355053264361396103" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a85a60e62355e3bf4802dead7938966824b23940", "id": "CVE-2024-36012-9485bb3d", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.c" }, "digest": { "line_hashes": [ "203908432295865204035122287181287257224", "12235198904194424539696263679649864427", "89575239541949298068811464250348693423", "224474311955867190236523064269106145390" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "id": "CVE-2024-36012-968fb12e", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_unregister_dev" }, "digest": { "length": 873.0, "function_hash": "299266584003389354652759387820720297048" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10f9f426ac6e752c8d87bf4346930ba347aaabac", "id": "CVE-2024-36012-99a12940", "signature_version": "v1", "target": { "file": "net/bluetooth/msft.c" }, "digest": { "line_hashes": [ "203908432295865204035122287181287257224", "12235198904194424539696263679649864427", "89575239541949298068811464250348693423", "224474311955867190236523064269106145390" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a85a60e62355e3bf4802dead7938966824b23940", "id": "CVE-2024-36012-a1d79e85", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_unregister_dev" }, "digest": { "length": 873.0, "function_hash": "299266584003389354652759387820720297048" }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10f9f426ac6e752c8d87bf4346930ba347aaabac", "id": "CVE-2024-36012-a8e7c4d9", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_unregister_dev" }, "digest": { "length": 873.0, "function_hash": "299266584003389354652759387820720297048" }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f1de02de07748da80a8178879bc7a1df37fdf56", "id": "CVE-2024-36012-aba4af76", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c" }, "digest": { "line_hashes": [ "179942895225224323946180564995499168927", "176077515940290233737758140202816886651", "2308314712876963186446355187900444927", "50149002769606144210205140767319134792", "309227545352447836501596266066334131567", "312808366268361158156237011164815619881", "55336451688995268822882260656670784664", "109513351200334452222026534095539331706" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@10f9f426ac6e752c8d87bf4346930ba347aaabac", "id": "CVE-2024-36012-ac4ea4ef", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c" }, "digest": { "line_hashes": [ "179942895225224323946180564995499168927", "176077515940290233737758140202816886651", "2308314712876963186446355187900444927", "50149002769606144210205140767319134792", "309227545352447836501596266066334131567", "312808366268361158156237011164815619881", "55336451688995268822882260656670784664", "164914815806386211835928356898529787956" ], "threshold": 0.9 }, "deprecated": false }, { "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f1de02de07748da80a8178879bc7a1df37fdf56", "id": "CVE-2024-36012-cb8307f3", "signature_version": "v1", "target": { "file": "net/bluetooth/hci_core.c", "function": "hci_unregister_dev" }, "digest": { "length": 873.0, "function_hash": "299266584003389354652759387820720297048" }, "deprecated": false } ] }