CVE-2024-36012: Linux Kernel Bluetooth msft Slab-use-after-free Vulnerability Resolved

In the Linux kernel, the developers have addressed a critical vulnerability that could lead to potential security issues in Linux systems. The issue revolves around a slab-use-after-free bug in the Bluetooth handling module of the Linux kernel. This post aims to provide an overview of the vulnerability, code snippets highlighting the problem, and the ultimate solution provided by the developers.

The vulnerability is tracked as CVE-2024-36012, and it stems from a slab-use-after-free in the msft_do_close() function of the Linux kernel's Bluetooth handling code. The issue has been successfully patched, with the msft->data lifetime now tied to hdev, ensuring a more secure and stable Bluetooth experience for kernel users.

Here is the original code snippet that exposes the vulnerability

[use]
msft_do_close()
  msft = hdev->msft_data;
  if (!msft)                      ...(1) <- passed.
    return;
  mutex_lock(&msft->filter_lock); ...(4) <- used after freed.

[free]
msft_unregister()
  msft = hdev->msft_data;
  hdev->msft_data = NULL;         ...(2)
  kfree(msft);                    ...(3) <- msft is freed.

The problem arises when the msft->data structure is used after being freed in the msft_unregister() function. The following kernel log shows the error which occurs due to the slab-use-after-free bug:

BUG: KASAN: slab-use-after-free in __mutex_lock_common
kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+x8f/xc30
kernel/locking/mutex.c:752
Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309

The Linux kernel developers have resolved this vulnerability by tying the msft->data lifetime to hdev and freeing it in hci_release_dev() function. This fix ensures that the msft->data is not used after being freed, successfully addressing the slab-use-after-free issue.

You can find the reference to the original patch on the Linux Kernel Mailing List and GitHub.

In conclusion, the Linux kernel developers have efficiently handled the CVE-2024-36012 vulnerability, which could have otherwise impacted the Bluetooth functionality of a variety of Linux systems. It is essential for Linux users to stay updated on the latest patches, ensuring that their systems run securely and efficiently.

Timeline

Published on: 05/23/2024 07:15:08 UTC
Last modified on: 05/29/2024 05:32:56 UTC