CVE-2024-27399: Linux Kernel Bluetooth l2cap Null Pointer Dereference Vulnerability Fixed
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout. This article will delve deeper into the race condition bug which, when exploited, could nullify pointer dereference. The exploit details along with the kernel log traces will be shown here, as well as the associated patch.
A race condition exists between l2cap_chan_timeout() and l2cap_chan_del() in the Linux kernel Bluetooth implementation. When l2cap_chan_del() is used to delete the channel, the chan->conn variable will be set to null. However, the conn variable could still be dereferenced again in the mutex_lock() function within l2cap_chan_timeout(). This results in the null pointer dereference bug. A Kernel Address Sanitizer (KASAN) report is triggered by a Proof-of-Concept (PoC), and a portion of that report is shown below:
truncated KASAN report---
This KASAN report illustrates the null-ptr-deref, which can cause kernel crashes, system instabilities, or security issues if exploited. To resolve this vulnerability, a patch has been developed to synchronize the deletion of the l2cap channel and its associated connection object. The patch is available at the Linux kernel Git repository, along with other relevant information and discussion:
- Patch in Linux kernel Git repository
- Mailing list discussion
In conclusion, the CVE-2024-27399 vulnerability in the Linux kernel's Bluetooth implementation has been successfully resolved with a patch. System administrators and kernel developers are encouraged to apply the patch to ensure that their systems are protected against this null-ptr-deref issue. Further information on this vulnerability can be found at the provided Git repository and mailing list discussion links. Don't forget always to keep your systems up-to-date with the latest security patches to mitigate any potential security threats.
Timeline
Published on: 05/14/2024 15:12:28 UTC
Last modified on: 12/19/2024 08:54:16 UTC