CVE-2024-36013: Linux Kernel Bluetooth L2CAP Use-After-Free Vulnerability Resolved

In the Linux kernel, a critical vulnerability has been discovered and resolved in the Bluetooth L2CAP implementation. The issue, which has been assigned CVE-2024-36013, involves a "slab-use-after-free" error in the l2cap_connect() function. This post will discuss the details of the vulnerability, provide code snippets illustrating the problem, and link to the original references for further information.

Background

L2CAP (Logical Link Control and Adaptation Protocol) is a layer in the Bluetooth protocol stack, which provides multiplexing and segmentation of application data, enabling the transmission of larger data packets. In the kernel, the Bluetooth subsystem includes an implementation of the L2CAP protocol, which has been the source of several security vulnerabilities in the past.

Exploit Details

The slab-use-after-free error occurs in the l2cap_connect() function, where a critical section fails to prevent the 'chan' variable from being freed too early. The root cause is the missing mutex_lock() and mutex_unlock() around the access to 'chan' variable, leading to the "use after free" issue. The code snippet below illustrates the call stack summary:

[use]
l2cap_bredr_sig_cmd

l2cap_connect

┌ mutex_lock(&conn->chan_lock); // missing

│ list_add(&chan->list, &conn->chan_l); ... (1)

└ mutex_unlock(&conn->chan_lock); // missing

chan->conf_state ... (4) <- use after free

[free]
l2cap_conn_del
┌ mutex_lock(&conn->chan_lock);
│ foreach chan in conn->chan_l: ... (2)
│ l2cap_chan_put(chan);
│ l2cap_chan_destroy
│ kfree(chan) ... (3) <- chan freed
└ mutex_unlock(&conn->chan_lock);

As can be seen above, the early freeing of the 'chan' variable can occur between points (1) and (4), thus leading to the use-after-free error.

Resolution

The developers have fixed this vulnerability by extending the critical section to cover the usage of 'chan' variable, effectively preventing the use-after-free scenario. Moreover, they made the l2cap_connect() function return type void, as nothing is using the return value, and it is more efficient to not return a potentially freed pointer. This change will also help with backporting this patch to earlier kernels. The link to the original patch can be found here.

Conclusion

CVE-2024-36013 has been identified and resolved in the Linux kernel's Bluetooth L2CAP implementation, preventing a potential use-after-free issue that could be exploited by malicious actors. By staying informed about such vulnerabilities and applying patches in a timely manner, system administrators and developers can help protect their systems from security threats. It is crucial to keep an eye on kernel updates and apply security fixes as required to maintain a secure and reliable system.

Timeline

Published on: 05/23/2024 07:15:08 UTC
Last modified on: 07/03/2024 02:02:37 UTC