CVE-2024-50029

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hciconn: Fix UAF in hcienhancedsetupsync

This checks if the ACL connection remains valid as it could be destroyed while hcienhancedsetupsync is pending on cmdsync leading to the following trace:

BUG: KASAN: slab-use-after-free in hcienhancedsetup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37

CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? hcienhancedsetupsync+0x91b/0xa60 printreport+0x152/0x4c0 ? hcienhancedsetupsync+0x91b/0xa60 ? __virtaddrvalid+0x1fa/0x420 ? hcienhancedsetupsync+0x91b/0xa60 kasanreport+0xda/0x1b0 ? hcienhancedsetupsync+0x91b/0xa60 hcienhancedsetupsync+0x91b/0xa60 ? __pfxhcienhancedsetupsync+0x10/0x10 ? pfxmutexlock+0x10/0x10 hcicmdsyncwork+0x1c2/0x330 processone_work+0x7d9/0x1360 ? __pfxlockacquire+0x10/0x10 ? __pfxprocessonework+0x10/0x10 ? assignwork+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfxworkerthread+0x10/0x10 ? __pfxworkerthread+0x10/0x10 kthread+0x293/0x360 ? __pfxkthread+0x10/0x10 retfrom_fork+0x2f/0x70 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

Allocated by task 34: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hciconnadd+0x187/0x17d0 hciconnectsco+0x2e1/0xb90 scosockconnect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64sysconnect+0x6d/0xb0 dosyscall64+0x71/0x140 entrySYSCALL64afterhwframe+0x76/0x7e

Freed by task 37: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 kasansavefree_info+0x3b/0x60 __kasanslabfree+0x101/0x160 kfree+0xd0/0x250 devicerelease+0x9a/0x210 kobjectput+0x151/0x280 hciconndel+0x448/0xbf0 hciabortconnsync+0x46f/0x980 hcicmdsyncwork+0x1c2/0x330 processonework+0x7d9/0x1360 workerthread+0x5b7/0xf60 kthread+0x293/0x360 retfromfork+0x2f/0x70 retfromforkasm+0x1a/0x30