CVE-2024-27399: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:

[ 472.074580] ==================================================================
[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
[ 472.075308]
[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.075308] Workqueue: events l2cap_chan_timeout
[ 472.075308] Call Trace:
[ 472.075308]
[ 472.075308] dump_stack_lvl+0x137/0x1a0
[ 472.075308] print_report+0x101/0x250
[ 472.075308] ? __virt_addr_valid+0x77/0x160
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_report+0x139/0x170
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_check_range+0x2c3/0x2e0
[ 472.075308] mutex_lock+0x68/0xc0
[ 472.075308] l2cap_chan_timeout+0x181/0x300
[ 472.075308] process_one_work+0x5d2/0xe00
[ 472.075308] worker_thread+0xe1d/...

Classification

CVE ID: CVE-2024-27399

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.26% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae
https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9
https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c
https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79
https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33
https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4
https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c

Timeline

2024-12-20 00:35:57 UTC
CVE

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout