Ubuntu: (Multiple Advisories) (CVE-2024-27398): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-27398): Linux kernel vulnerabilities

Severity

4

CVSS

(AV:L/AC:M/Au:N/C:P/I:P/A:P)

Published

05/14/2024

Created

08/10/2024

Added

08/09/2024

Modified

01/23/2025

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread |Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work| sco_sock_kill|(wait a time) sock_put(sk) //FREE|sco_sock_timeout |sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755]<TASK> [ 95.890755]dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755]print_report+0x11b/0x250 [ 95.890755]? __virt_addr_valid+0xbe/0xf0 [ 95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755]kasan_report+0x139/0x170 [ 95.890755]? update_load_avg+0xe5/0x9f0 [ 95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755]kasan_check_range+0x2c3/0x2e0 [ 95.890755]sco_sock_timeout+0x5e/0x1c0 [ 95.890755]process_one_work+0x561/0xc50 [ 95.890755]worker_thread+0xab2/0x13c0 [ 95.890755]? pr_cont_work+0x490/0x490 [ 95.890755]kthread+0x279/0x300 [ 95.890755]? pr_cont_work+0x490/0x490 [ 95.890755]? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755]? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork_asm+0x11/0x20 [ 95.890755]</TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755]__kasan_kmalloc+0x86/0x90 [ 95.890755]__kmalloc+0x17f/0x360 [ 95.890755]sk_prot_alloc+0xe1/0x1a0 [ 95.890755]sk_alloc+0x31/0x4e0 [ 95.890755]bt_sock_alloc+0x2b/0x2a0 [ 95.890755]sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755]__sock_create+0x2e1/0x650 [ 95.890755]__sys_socket+0xd0/0x280 [ 95.890755]__x64_sys_socket+0x75/0x80 [ 95.890755]do_syscall_64+0xc4/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755]kasan_save_free_info+0x40/0x50 [ 95.890755]poison_slab_object+0x118/0x180 [ 95.890755]__kasan_slab_free+0x12/0x30 [ 95.890755]kfree+0xb2/0x240 [ 95.890755]__sk_destruct+0x317/0x410 [ 95.890755]sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755]__fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755]get_signal+0xe17/0xf70 [ 95.890755]arch_do_signal_or_restart+0x3f/0x520 [ 95.890755]syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755]freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated---

Solution(s)

• ubuntu-upgrade-linux-image-4-15-0-1135-oracle
• ubuntu-upgrade-linux-image-4-15-0-1156-kvm
• ubuntu-upgrade-linux-image-4-15-0-1166-gcp
• ubuntu-upgrade-linux-image-4-15-0-1173-aws
• ubuntu-upgrade-linux-image-4-15-0-1181-azure
• ubuntu-upgrade-linux-image-4-15-0-229-generic
• ubuntu-upgrade-linux-image-4-15-0-229-lowlatency
• ubuntu-upgrade-linux-image-5-15-0-1035-xilinx-zynqmp
• ubuntu-upgrade-linux-image-5-15-0-1050-gkeop
• ubuntu-upgrade-linux-image-5-15-0-1060-ibm
• ubuntu-upgrade-linux-image-5-15-0-1060-raspi
• ubuntu-upgrade-linux-image-5-15-0-1062-intel-iotg
• ubuntu-upgrade-linux-image-5-15-0-1062-nvidia
• ubuntu-upgrade-linux-image-5-15-0-1062-nvidia-lowlatency
• ubuntu-upgrade-linux-image-5-15-0-1064-gke
• ubuntu-upgrade-linux-image-5-15-0-1064-kvm
• ubuntu-upgrade-linux-image-5-15-0-1065-oracle
• ubuntu-upgrade-linux-image-5-15-0-1066-gcp
• ubuntu-upgrade-linux-image-5-15-0-1067-aws
• ubuntu-upgrade-linux-image-5-15-0-1070-azure
• ubuntu-upgrade-linux-image-5-15-0-1070-azure-fde
• ubuntu-upgrade-linux-image-5-15-0-118-generic
• ubuntu-upgrade-linux-image-5-15-0-118-generic-64k
• ubuntu-upgrade-linux-image-5-15-0-118-generic-lpae
• ubuntu-upgrade-linux-image-5-15-0-118-lowlatency
• ubuntu-upgrade-linux-image-5-15-0-118-lowlatency-64k
• ubuntu-upgrade-linux-image-5-4-0-1042-iot
• ubuntu-upgrade-linux-image-5-4-0-1049-xilinx-zynqmp
• ubuntu-upgrade-linux-image-5-4-0-1077-ibm
• ubuntu-upgrade-linux-image-5-4-0-1090-bluefield
• ubuntu-upgrade-linux-image-5-4-0-1097-gkeop
• ubuntu-upgrade-linux-image-5-4-0-1114-raspi
• ubuntu-upgrade-linux-image-5-4-0-1118-kvm
• ubuntu-upgrade-linux-image-5-4-0-1129-oracle
• ubuntu-upgrade-linux-image-5-4-0-1130-aws
• ubuntu-upgrade-linux-image-5-4-0-1134-gcp
• ubuntu-upgrade-linux-image-5-4-0-1135-azure
• ubuntu-upgrade-linux-image-5-4-0-192-generic
• ubuntu-upgrade-linux-image-5-4-0-192-generic-lpae
• ubuntu-upgrade-linux-image-5-4-0-192-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-1008-gke
• ubuntu-upgrade-linux-image-6-8-0-1009-raspi
• ubuntu-upgrade-linux-image-6-8-0-1010-ibm
• ubuntu-upgrade-linux-image-6-8-0-1010-oem
• ubuntu-upgrade-linux-image-6-8-0-1010-oracle
• ubuntu-upgrade-linux-image-6-8-0-1010-oracle-64k
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-64k
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-6-8-0-1012-azure
• ubuntu-upgrade-linux-image-6-8-0-1012-azure-fde
• ubuntu-upgrade-linux-image-6-8-0-1012-gcp
• ubuntu-upgrade-linux-image-6-8-0-1013-aws
• ubuntu-upgrade-linux-image-6-8-0-40-generic
• ubuntu-upgrade-linux-image-6-8-0-40-generic-64k
• ubuntu-upgrade-linux-image-6-8-0-40-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-40-lowlatency-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-aws-hwe
• ubuntu-upgrade-linux-image-aws-lts-18-04
• ubuntu-upgrade-linux-image-aws-lts-20-04
• ubuntu-upgrade-linux-image-aws-lts-22-04
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-cvm
• ubuntu-upgrade-linux-image-azure-fde
• ubuntu-upgrade-linux-image-azure-fde-lts-22-04
• ubuntu-upgrade-linux-image-azure-lts-18-04
• ubuntu-upgrade-linux-image-azure-lts-20-04
• ubuntu-upgrade-linux-image-azure-lts-22-04
• ubuntu-upgrade-linux-image-bluefield
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-gcp-lts-18-04
• ubuntu-upgrade-linux-image-gcp-lts-20-04
• ubuntu-upgrade-linux-image-gcp-lts-22-04
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-20-04
• ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
• ubuntu-upgrade-linux-image-generic-hwe-16-04
• ubuntu-upgrade-linux-image-generic-hwe-18-04
• ubuntu-upgrade-linux-image-generic-hwe-20-04
• ubuntu-upgrade-linux-image-generic-hwe-24-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-gke-5-15
• ubuntu-upgrade-linux-image-gkeop
• ubuntu-upgrade-linux-image-gkeop-5-15
• ubuntu-upgrade-linux-image-gkeop-5-4
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-ibm-classic
• ubuntu-upgrade-linux-image-ibm-lts-20-04
• ubuntu-upgrade-linux-image-ibm-lts-24-04
• ubuntu-upgrade-linux-image-intel
• ubuntu-upgrade-linux-image-intel-iotg
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-16-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-18-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-20-04
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-6-8
• ubuntu-upgrade-linux-image-nvidia-64k
• ubuntu-upgrade-linux-image-nvidia-64k-6-8
• ubuntu-upgrade-linux-image-nvidia-lowlatency
• ubuntu-upgrade-linux-image-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-oem
• ubuntu-upgrade-linux-image-oem-20-04
• ubuntu-upgrade-linux-image-oem-20-04b
• ubuntu-upgrade-linux-image-oem-20-04c
• ubuntu-upgrade-linux-image-oem-20-04d
• ubuntu-upgrade-linux-image-oem-24-04
• ubuntu-upgrade-linux-image-oem-24-04a
• ubuntu-upgrade-linux-image-oem-osp1
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-64k
• ubuntu-upgrade-linux-image-oracle-lts-18-04
• ubuntu-upgrade-linux-image-oracle-lts-20-04
• ubuntu-upgrade-linux-image-oracle-lts-22-04
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-raspi-hwe-18-04
• ubuntu-upgrade-linux-image-raspi-nolpae
• ubuntu-upgrade-linux-image-raspi2
• ubuntu-upgrade-linux-image-snapdragon-hwe-18-04
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-16-04
• ubuntu-upgrade-linux-image-virtual-hwe-18-04
• ubuntu-upgrade-linux-image-virtual-hwe-20-04
• ubuntu-upgrade-linux-image-virtual-hwe-24-04
• ubuntu-upgrade-linux-image-xilinx-zynqmp

References

• https://attackerkb.com/topics/cve-2024-27398
• CVE - 2024-27398
• USN-6949-1
• USN-6949-2
• USN-6950-1
• USN-6950-2
• USN-6950-3
• USN-6950-4
• USN-6951-1
• USN-6951-2
• USN-6951-3
• USN-6951-4
• USN-6952-1
• USN-6952-2
• USN-6953-1
• USN-6955-1
• USN-6956-1
• USN-6957-1
• USN-6979-1
• USN-7019-1
• USN-7028-1
• USN-7028-2

View more