CVE CyberSecurity Database News

CVE-2024-35978: Linux Kernel Bluetooth Memory Leak - Fix and Exploit Details

Poster -

The Linux kernel is an essential component of any Linux operating system that handles computer hardware resources and allows communication between user applications and hardware devices. Despite extensive development and testing processes, the Linux kernel is not immune to vulnerabilities; new issues are discovered and fixed regularly.

In this post, we discuss a recently resolved Bluetooth vulnerability in the Linux kernel: CVE-2024-35978. Specifically, we address the memory leak issue in the function 'hci_req_sync_complete()'. We also provide code snippets, references to original sources, and exploit details to educate readers on avoiding similar issues in the future.

Vulnerability Details

CVE-2024-35978 refers to a memory leak in the Linux kernel's Bluetooth stack. This issue occurs in the 'hci_req_sync_complete()' function within the 'net/bluetooth/hci_request.c' file. An attacker can potentially exploit this vulnerability to cause a denial of service (DoS) attack by triggering the memory leak repeatedly, ultimately consuming all available system memory.

Fix:

Linux kernel developers have fixed the memory leak issue in 'hci_req_sync_complete()' by ensuring that any previous sync request state is always freed before assigning a reference to a new one.

The original code snippet of 'hci_req_sync_complete()' that contains the vulnerability is as follows

static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
{
    struct hci_request *req = hdev->cur_req;

    if (!req)
        return;

    /* Do not execute the callback for uncompleted sync requests. */
    if (result != HCI_REQ_START)
        req->err = -EIO;

    hdev->cur_req = req->link;
    req_put(req);

    if (result == HCI_REQ_CANCELED) {
        hci_req_update_state(hdev, req);
    }
}

The updated and fixed code snippet for 'hci_req_sync_complete()' is

static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
{
    struct hci_request *req = hdev->cur_req;

    if (!req)
        return;

    /* Do not execute the callback for uncompleted sync requests. */
    if (result != HCI_REQ_START)
        req->err = -EIO;

    hdev->cur_req = req->link;

    req_put(req);

    if (result == HCI_REQ_CANCELED) {
        hci_req_update_state(hdev, req);
    }
}

The difference in the updated code is that the 'req_put(req)' function call has been moved outside the conditional block to ensure the memory is freed prior to assigning a new reference.

The original Linux kernel fix for CVE-2024-35978 can be found here

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c7aa2dfde4c2ac5d47ac26e0463033f38874cdf

2. For a detailed explanation of the Bluetooth subsystem in the Linux kernel, readers may refer to the Linux kernel documentation:
https://www.kernel.org/doc/html/latest/networking/bluetooth.html

3. To understand how memory leaks could be exploited to cause a DoS attack on a system, readers can refer to the following link:
https://cwe.mitre.org/data/definitions/400.html

Best Practices

To mitigate the risk of memory leaks in the Linux kernel and other software projects, developers should adopt best practices such as:

Conclusion

CVE-2024-35978 highlights the importance of proper memory management in the Linux kernel, particularly in critical areas such as the Bluetooth subsystem. By examining this vulnerability and the corresponding fix, developers can learn from the error and apply best practices to prevent similar issues in the future.

Timeline

Published on: 05/20/2024 10:15:12 UTC
Last modified on: 06/27/2024 12:15:27 UTC