CVE-2024-49950

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-49950
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49950.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-49950
Downstream
Related
Published
2024-10-21T18:02:06.387Z
Modified
2026-03-20T12:38:11.059280Z
Summary
Bluetooth: L2CAP: Fix uaf in l2cap_connect
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix uaf in l2cap_connect

[Syzbot reported] BUG: KASAN: slab-use-after-free in l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54

CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hcirxwork Call Trace: <TASK> __dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0xc3/0x620 mm/kasan/report.c:488 kasanreport+0xd9/0x110 mm/kasan/report.c:601 l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 l2capconnectreq net/bluetooth/l2capcore.c:4080 [inline] l2capbredrsigcmd net/bluetooth/l2capcore.c:4772 [inline] l2capsigchannel net/bluetooth/l2capcore.c:5543 [inline] l2caprecvframe+0xf0b/0x8eb0 net/bluetooth/l2capcore.c:6825 l2caprecvacldata+0x9b4/0xb70 net/bluetooth/l2capcore.c:7514 hciacldatapacket net/bluetooth/hcicore.c:3791 [inline] hcirxwork+0xaab/0x1610 net/bluetooth/hcicore.c:4028 processonework+0x9c5/0x1b40 kernel/workqueue.c:3231 processscheduledworks kernel/workqueue.c:3312 [inline] workerthread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 retfromfork+0x45/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 ...

Freed by task 5245: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 kasansavefreeinfo+0x3b/0x60 mm/kasan/generic.c:579 poisonslab_object+0xf7/0x160 mm/kasan/common.c:240 __kasanslabfree+0x32/0x50 mm/kasan/common.c:256 kasanslabfree include/linux/kasan.h:184 [inline] slabfreehook mm/slub.c:2256 [inline] slabfree mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2capconnfree net/bluetooth/l2capcore.c:1810 [inline] krefput include/linux/kref.h:65 [inline] l2capconnput net/bluetooth/l2capcore.c:1822 [inline] l2capconndel+0x59d/0x730 net/bluetooth/l2capcore.c:1802 l2capconnectcfm+0x9e6/0xf80 net/bluetooth/l2capcore.c:7241 hciconnectcfm include/net/bluetooth/hcicore.h:1960 [inline] hciconnfailed+0x1c3/0x370 net/bluetooth/hciconn.c:1265 hciabortconnsync+0x75a/0xb50 net/bluetooth/hcisync.c:5583 abortconnsync+0x197/0x360 net/bluetooth/hciconn.c:2917 hcicmdsyncwork+0x1a4/0x410 net/bluetooth/hcisync.c:328 processonework+0x9c5/0x1b40 kernel/workqueue.c:3231 processscheduledworks kernel/workqueue.c:3312 [inline] workerthread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 retfromfork+0x45/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49950.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7b064edae38d62d8587a8c574f93b53ce75ae749
Fixed
686e05c9dbd68766c6bda5f31f7e077f36a7fb29
Fixed
b22346eec479a30bfa4a02ad2c551b54809694d0
Fixed
b90907696c30172b809aa3dd2f0caffae761e4c6
Fixed
78d30ce16fdf9c301bcd8b83ce613cea079cea83
Fixed
a1c6174e23df10b8e5770e82d63bc6e2118a3dc7
Fixed
333b4fd11e89b29c84c269123f871883a30be586

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49950.json"