CVE-2024-27398: Linux Kernel Bluetooth Vulnerability - Use-After-Free Bugs

A use-after-free vulnerability (CVE-2024-27398) has been discovered and resolved in the Linux kernel, specifically in the Bluetooth implementation. The flaw is caused by sco_sock_timeout function and can potentially be exploited by an attacker, causing a denial of service or executing arbitrary code on the target system.

Background

The bug occurs when the sco (Synchronous Connection-Oriented) connection is established, and then, the sco socket is released. The timeout_work will be scheduled to judge whether the sco disconnection is a timeout. However, the sock is deallocated later but is dereferenced again in sco_sock_timeout, leading to use-after-free bugs. This issue has been fixed in the latest Linux kernel source code update by removing the sock references after releasing them.

The root cause is shown below

    Cleanup Thread               |      Worker Thread
    sco_sock_release                 |
      sco_sock_close                 |
        __sco_sock_close             |
          sco_sock_set_timer         |
            schedule_delayed_work    |
      sco_sock_kill                  |    (wait a time)
        sock_put(sk) //FREE          |  sco_sock_timeout
                                     |    sock_hold(sk) //USE

Links to Original References

1. Linux kernel source code update that fixes the issue
2. KASAN report (truncated)

Exploit Details

An attacker can potentially exploit this vulnerability by sending crafted Bluetooth packets to the target device and force it to allocate and deallocate sco sockets. By doing this, the attacker might cause the system to reference the freed socket memory, which may lead to denial of service, memory corruption, or arbitrary code execution.

Mitigation

The vulnerability has been fixed in the latest Linux kernel sources. To protect your system from this vulnerability, you need to update your Linux kernel to the latest stable version. Be sure to check your Linux distribution for the appropriate kernel update for your specific system.

In summary, CVE-2024-27398 is a use-after-free vulnerability in the Linux kernel's Bluetooth implementation. By leveraging this bug, an attacker could potentially cause a denial of service or execute arbitrary code on a target system. It's essential to update your Linux kernel to the latest stable version to mitigate the risks posed by this vulnerability.

Timeline

Published on: 05/14/2024 15:12:28 UTC
Last modified on: 06/27/2024 14:15:13 UTC