CVE-2024-27398: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

0.0 CVSS

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

When the sco connection is established and then, the sco socket
is releasing, timeout_work will be scheduled to judge whether
the sco disconnection is timeout. The sock will be deallocated
later, but it is dereferenced again in sco_sock_timeout. As a
result, the use-after-free bugs will happen. The root cause is
shown below:

Cleanup Thread | Worker Thread
sco_sock_release |
sco_sock_close |
__sco_sock_close |
sco_sock_set_timer |
schedule_delayed_work |
sco_sock_kill | (wait a time)
sock_put(sk) //FREE | sco_sock_timeout
| sock_hold(sk) //USE

The KASAN report triggered by POC is shown below:

[ 95.890016] ==================================================================
[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
...
[ 95.890755] Workqueue: events sco_sock_timeout
[ 95.890755] Call Trace:
[ 95.890755]
[ 95.890755] dump_stack_lvl+0x45/0x110
[ 95.890755] print_address_description+0x78/0x390
[ 95.890755] print_report+0x11b/0x250
[ 95.890755] ? __virt_addr_valid+0xbe/0xf0
[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
[ 95.890755] kasan_report+...

Classification

CVE ID: CVE-2024-27398

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.23% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249
https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014
https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53
https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93
https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2
https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178
https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546

Timeline