PUB-A-165329981
See a problem?- Import Source
- https://storage.googleapis.com/android-osv-test/PUB-A-165329981.json
- JSON Data
- https://api.osv.dev/v1/vulns/PUB-A-165329981
- Aliases
-
- A-165329981
- CVE-2022-20566
- Published
- 2022-12-01T00:00:00Z
- Modified
- 2024-09-19T16:27:41.464249Z
- Summary
- A use-after-free problem in refcount_dec_and_test() in the Bluetooth subsystem
- Details
-
In l2capchanput of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 684.0,
"function_hash": "236184558604859907890195847617279485217"
},
"id": "PUB-A-165329981-008c216e",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_global_fixed_chan"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"70052371497910363662595951109062678329",
"337061332846076623473359281743931350106",
"217879823638137958165958020238831858688",
"72040229481076319132831099242657120195",
"101597133732770256055318878809561157482",
"303561820771719152358755010052162886056",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"86595860156610740353243353575313159397",
"48142415019002605960104236140377002568",
"18744282258843389086756724125312433257",
"191079300490990689478647859609030500312",
"237214904194788848046362180974833816484",
"168031767303701785497431940315819895666",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"325688423038389291614889928612465727078",
"191318019539647406371420648045248760293",
"2955905199175656753399295565805406962",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"238472441875272254519810817357263784080",
"56948763213005278067600845525623793096",
"72804135579423131087516625699687592983",
"200890070817865003719855077513327449152",
"138511553115973135798595491151860354583",
"161983096754335581166449288280284248967",
"125482890884208964928776078001916239942",
"228409899296021516305131177616460472916",
"332517880528094785432212120000450246654",
"252106832695418794203906737005432217558",
"7204354057437989426729187786938084901",
"243485534346418610057370817139753213709",
"16525523788510581006198211558858793602",
"283440715391428972294928590994664543117",
"75013392573142557257956830170013943298",
"170712417529520927614119901577594341015",
"229574711092578775445605274744298600789",
"36327256003142729184034806516486343041",
"232824146620990207781904072140426834762",
"247376737163697878365143604352448763220",
"4978020118297755881522833624838059974",
"231931730848045378099010862674867520791",
"198723513729386649953838087574509623618",
"186388562770850213705140100075087488114",
"331013014655702106374031397158710486904",
"138449420069489977211070727048512907907",
"166550988820766545246873106038542502824",
"38794564904733421890641104769373163263",
"152181720647265497373043658600055051392",
"325396152028156461825976257373039032529",
"172057274404499640004844494401782128088",
"310874111164730573362982317096044176949",
"62827672749266796208414640029684124124",
"247598031375683136712725974857367268741",
"323441366845744466425933865993533941522",
"235917065999623988556121297506564092275",
"219605440815208519170284114749590822570",
"192952928898073677306992312819016189314",
"237170270618117431554387423058569691529",
"108221181523209078242625057465512956872",
"283740707775816795627136730923862105839",
"85118346703785761042849234380004478538",
"129448913717868222228038971857395864841",
"232063696138880623073490351999167961196",
"224006478562920050165307401675152943717",
"164032274340378248967914117419341465733",
"200010957122501598567493033751468745424",
"155501657650083700075550023143806863770",
"28607700834679470116460068699821432338",
"9409161176140457356294099072420017004",
"88156764865636144428759626619054907381",
"1557235551019568454495899749445222562",
"125701986548873720645685049004343239488",
"152344569035925649442338615303321596426",
"295845236815881542153463637686892873528",
"125482890884208964928776078001916239942"
]
},
"id": "PUB-A-165329981-08b89494",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 756.0,
"function_hash": "32034523913324761511017111846052149146"
},
"id": "PUB-A-165329981-09a6aac2",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_confirm"
},
"signature_type": "Function"
},
{
"digest": {
"length": 479.0,
"function_hash": "331169585127603187152899612967911286855"
},
"id": "PUB-A-165329981-09ca4780",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_fail"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2017.0,
"function_hash": "58460502743198326917602840156688003226"
},
"id": "PUB-A-165329981-0a7b3cf8",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_req"
},
"signature_type": "Function"
},
{
"digest": {
"length": 905.0,
"function_hash": "3503208812123310796551537278114468196"
},
"id": "PUB-A-165329981-0f745a93",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_global_chan_by_psm"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2200.0,
"function_hash": "319372398536614390432170082504835606501"
},
"id": "PUB-A-165329981-154254ac",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_config_rsp"
},
"signature_type": "Function"
},
{
"digest": {
"length": 714.0,
"function_hash": "203706653729299552482163804131010950435"
},
"id": "PUB-A-165329981-2049bf95",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_le_credits"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1095.0,
"function_hash": "235264457036944140079831474464566892112"
},
"id": "PUB-A-165329981-249a7e86",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_data_channel"
},
"signature_type": "Function"
},
{
"digest": {
"length": 756.0,
"function_hash": "32034523913324761511017111846052149146"
},
"id": "PUB-A-165329981-28158e26",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_confirm"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2017.0,
"function_hash": "58460502743198326917602840156688003226"
},
"id": "PUB-A-165329981-3ba3321b",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_req"
},
"signature_type": "Function"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-424e4c4b",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_ident"
},
"signature_type": "Function"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-4b803dfd",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_scid"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"141999440497785936613803119296706828159",
"140944776253181203670343956983069703796",
"333688976810559815526936408400622839196",
"57385169606919542335611207096156115085"
]
},
"id": "PUB-A-165329981-57619a71",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/net/bluetooth/l2cap.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 714.0,
"function_hash": "203706653729299552482163804131010950435"
},
"id": "PUB-A-165329981-695d8a8a",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_le_credits"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"141999440497785936613803119296706828159",
"140944776253181203670343956983069703796",
"333688976810559815526936408400622839196",
"57385169606919542335611207096156115085"
]
},
"id": "PUB-A-165329981-6b3fa9f6",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/net/bluetooth/l2cap.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 905.0,
"function_hash": "3503208812123310796551537278114468196"
},
"id": "PUB-A-165329981-6d2fcb8b",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_global_chan_by_psm"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"70052371497910363662595951109062678329",
"337061332846076623473359281743931350106",
"217879823638137958165958020238831858688",
"72040229481076319132831099242657120195",
"101597133732770256055318878809561157482",
"303561820771719152358755010052162886056",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"86595860156610740353243353575313159397",
"48142415019002605960104236140377002568",
"18744282258843389086756724125312433257",
"191079300490990689478647859609030500312",
"237214904194788848046362180974833816484",
"168031767303701785497431940315819895666",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"325688423038389291614889928612465727078",
"191318019539647406371420648045248760293",
"2955905199175656753399295565805406962",
"257653950157134822220463805679247036442",
"114182253712265871766091095197099081481",
"223162794228136423629098889202545907193",
"56948763213005278067600845525623793096",
"7604269317727405148366733910418302022",
"200890070817865003719855077513327449152",
"138511553115973135798595491151860354583",
"161983096754335581166449288280284248967",
"125482890884208964928776078001916239942",
"228409899296021516305131177616460472916",
"332517880528094785432212120000450246654",
"252106832695418794203906737005432217558",
"7204354057437989426729187786938084901",
"243485534346418610057370817139753213709",
"16525523788510581006198211558858793602",
"283440715391428972294928590994664543117",
"75013392573142557257956830170013943298",
"170712417529520927614119901577594341015",
"229574711092578775445605274744298600789",
"36327256003142729184034806516486343041",
"232824146620990207781904072140426834762",
"247376737163697878365143604352448763220",
"4978020118297755881522833624838059974",
"231931730848045378099010862674867520791",
"198723513729386649953838087574509623618",
"186388562770850213705140100075087488114",
"331013014655702106374031397158710486904",
"138449420069489977211070727048512907907",
"166550988820766545246873106038542502824",
"38794564904733421890641104769373163263",
"152181720647265497373043658600055051392",
"325396152028156461825976257373039032529",
"172057274404499640004844494401782128088",
"310874111164730573362982317096044176949",
"62827672749266796208414640029684124124",
"247598031375683136712725974857367268741",
"323441366845744466425933865993533941522",
"235917065999623988556121297506564092275",
"219605440815208519170284114749590822570",
"192952928898073677306992312819016189314",
"237170270618117431554387423058569691529",
"108221181523209078242625057465512956872",
"283740707775816795627136730923862105839",
"85118346703785761042849234380004478538",
"129448913717868222228038971857395864841",
"232063696138880623073490351999167961196",
"224006478562920050165307401675152943717",
"164032274340378248967914117419341465733",
"200010957122501598567493033751468745424",
"155501657650083700075550023143806863770",
"28607700834679470116460068699821432338",
"9409161176140457356294099072420017004",
"88156764865636144428759626619054907381",
"1557235551019568454495899749445222562",
"125701986548873720645685049004343239488",
"152344569035925649442338615303321596426",
"295845236815881542153463637686892873528",
"125482890884208964928776078001916239942"
]
},
"id": "PUB-A-165329981-795d0cc8",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-79960a7f",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_ident"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1397.0,
"function_hash": "330173890241000632968311811768631592144"
},
"id": "PUB-A-165329981-7c0b7239",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_continue"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1095.0,
"function_hash": "235264457036944140079831474464566892112"
},
"id": "PUB-A-165329981-7f5df5e2",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_data_channel"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1397.0,
"function_hash": "330173890241000632968311811768631592144"
},
"id": "PUB-A-165329981-8ed77ded",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_continue"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2232.0,
"function_hash": "118869981950018905847546501991015473393"
},
"id": "PUB-A-165329981-aaa0ed59",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_config_req"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2232.0,
"function_hash": "118869981950018905847546501991015473393"
},
"id": "PUB-A-165329981-ab53e14b",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_config_req"
},
"signature_type": "Function"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-ae711fe3",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_dcid"
},
"signature_type": "Function"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-bac13bc5",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_scid"
},
"signature_type": "Function"
},
{
"digest": {
"length": 568.0,
"function_hash": "83830462002002839983715304866302848239"
},
"id": "PUB-A-165329981-c21af74a",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_confirm_rsp"
},
"signature_type": "Function"
},
{
"digest": {
"length": 568.0,
"function_hash": "83830462002002839983715304866302848239"
},
"id": "PUB-A-165329981-c56a62c2",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_channel_confirm_rsp"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2226.0,
"function_hash": "141941887257596437627066361646638695503"
},
"id": "PUB-A-165329981-cd40474f",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_config_rsp"
},
"signature_type": "Function"
},
{
"digest": {
"length": 479.0,
"function_hash": "331169585127603187152899612967911286855"
},
"id": "PUB-A-165329981-d201f4ff",
"source": "https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_move_fail"
},
"signature_type": "Function"
},
{
"digest": {
"length": 684.0,
"function_hash": "236184558604859907890195847617279485217"
},
"id": "PUB-A-165329981-d4af7850",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_global_fixed_chan"
},
"signature_type": "Function"
},
{
"digest": {
"length": 223.0,
"function_hash": "3648122761785644288295746387316296666"
},
"id": "PUB-A-165329981-e0182cd7",
"source": "https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_get_chan_by_dcid"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/cacbff013baa586c63dd779e67d13238bf46c28e",
"https://android.googlesource.com/kernel/common/+/2f9fed9ce805cf4d97cffb2f59d57b41b8e7fca8"
],
"spl": "2022-12-05",
"severity": "Moderate",
"types": [
"EoP"
]
}