{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix double free in hci_conn_cleanup\n\nsyzbot reports a slab use-after-free in hci_conn_hash_flush [1].\nAfter releasing an object using hci_conn_del_sysfs in the\nhci_conn_cleanup function, releasing the same object again\nusing the hci_dev_put and hci_conn_put functions causes a double free.\nHere's a simplified flow:\n\nhci_conn_del_sysfs:\n hci_dev_put\n put_device\n kobject_put\n kref_put\n kobject_release\n kobject_cleanup\n kfree_const\n kfree(name)\n\nhci_dev_put:\n ...\n kfree(name)\n\nhci_conn_put:\n put_device\n ...\n kfree(name)\n\nThis patch drop the hci_dev_put and hci_conn_put function\ncall in hci_conn_cleanup function, because the object is\nfreed in hci_conn_del_sysfs function.\n\nThis patch also fixes the refcounting in hci_conn_add_sysfs() and\nhci_conn_del_sysfs() to take into account device_add() failures.\n\nThis fixes CVE-2023-28464." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "versions": [ { "version": "1da177e4c3f4", "lessThan": "5c53afc766e0", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "3c4236f1b2a7", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "53d61daf35b1", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "ba7088769800", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "87624b1f9b78", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "fc666d1b4751", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "56a4fdde95ed", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "a85fb91e3d72", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "versions": [ { "version": "4.19.300", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.262", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.202", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.140", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.1.64", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.5.13", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.3", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451" }, { "url": "https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28" }, { "url": "https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776" }, { "url": "https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b" }, { "url": "https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275" }, { "url": "https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba" }, { "url": "https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198" }, { "url": "https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004" } ], "title": "Bluetooth: Fix double free in hci_conn_cleanup", "x_generator": { "engine": "bippy-d175d3acf727" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2023-52830", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }