Bug 1961305 (CVE-2021-33034) - CVE-2021-33034 kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan
Summary: CVE-2021-33034 kernel: use-after-free in net/bluetooth/hci_event.c when destr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1962683 1962684 1962685 1962686 1961306 1962340 1962341 1962342 1962343 1962507 1962509 1962510 1962512 1962513 1962514 1962516 1962517 1962518 1962519 1962520 1962521 1962523 1962524 1962526 1962527 1962529 1962532 1962534 1962537 1962541 1962544 1962546 1970759 1970760
Blocks: 1961308
TreeView+ depends on / blocked
 
Reported: 2021-05-17 16:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-04 11:48 UTC (History)
59 users (show)

Fixed In Version: kernel 5.13 rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
Clone Of:
Environment:
Last Closed: 2021-06-29 10:41:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2897 0 None None None 2021-07-26 16:59:03 UTC
Red Hat Product Errata RHSA-2021:2563 0 None None None 2021-06-29 09:40:26 UTC
Red Hat Product Errata RHSA-2021:2570 0 None None None 2021-06-29 16:28:26 UTC
Red Hat Product Errata RHSA-2021:2599 0 None None None 2021-06-29 15:26:41 UTC
Red Hat Product Errata RHSA-2021:2666 0 None None None 2021-07-07 14:52:59 UTC
Red Hat Product Errata RHSA-2021:2668 0 None None None 2021-07-07 14:53:55 UTC
Red Hat Product Errata RHSA-2021:2718 0 None None None 2021-07-20 22:10:39 UTC
Red Hat Product Errata RHSA-2021:2719 0 None None None 2021-07-20 21:27:44 UTC
Red Hat Product Errata RHSA-2021:2720 0 None None None 2021-07-21 00:12:28 UTC
Red Hat Product Errata RHSA-2021:2725 0 None None None 2021-07-21 01:07:51 UTC
Red Hat Product Errata RHSA-2021:2726 0 None None None 2021-07-21 01:08:29 UTC
Red Hat Product Errata RHSA-2021:2727 0 None None None 2021-07-20 22:42:19 UTC
Red Hat Product Errata RHSA-2021:2728 0 None None None 2021-07-21 01:11:45 UTC
Red Hat Product Errata RHSA-2021:2729 0 None None None 2021-07-21 00:28:48 UTC
Red Hat Product Errata RHSA-2021:2730 0 None None None 2021-07-20 21:24:44 UTC
Red Hat Product Errata RHSA-2021:2731 0 None None None 2021-07-21 00:02:12 UTC
Red Hat Product Errata RHSA-2021:2732 0 None None None 2021-07-20 21:15:39 UTC
Red Hat Product Errata RHSA-2021:2733 0 None None None 2021-07-20 20:20:57 UTC
Red Hat Product Errata RHSA-2021:2734 0 None None None 2021-07-20 20:04:04 UTC
Red Hat Product Errata RHSA-2021:2736 0 None None None 2021-07-22 15:06:59 UTC
Red Hat Product Errata RHSA-2021:2737 0 None None None 2021-07-21 14:09:33 UTC

Description Guilherme de Almeida Suckevicz 2021-05-17 16:37:31 UTC 
A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system  The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.

References:
https://syzkaller.appspot.com/bug?id=2e1943a94647f7732dd6fc60368642d6e8dc91b1
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_send_acl

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c4c8c9544099bb9043a10a5318130a943e32fc3
Comment 1 Guilherme de Almeida Suckevicz 2021-05-17 16:38:09 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1961306]
Comment 14 errata-xmlrpc 2021-06-29 09:40:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2563 https://access.redhat.com/errata/RHSA-2021:2563
Comment 15 Product Security DevOps Team 2021-06-29 10:41:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33034
Comment 16 errata-xmlrpc 2021-06-29 15:26:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2599 https://access.redhat.com/errata/RHSA-2021:2599
Comment 17 errata-xmlrpc 2021-06-29 16:28:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2570 https://access.redhat.com/errata/RHSA-2021:2570
Comment 18 errata-xmlrpc 2021-07-07 14:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2666 https://access.redhat.com/errata/RHSA-2021:2666
Comment 19 errata-xmlrpc 2021-07-07 14:53:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2668 https://access.redhat.com/errata/RHSA-2021:2668
Comment 20 errata-xmlrpc 2021-07-20 20:04:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:2734 https://access.redhat.com/errata/RHSA-2021:2734
Comment 21 errata-xmlrpc 2021-07-20 20:20:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:2733 https://access.redhat.com/errata/RHSA-2021:2733
Comment 22 errata-xmlrpc 2021-07-20 21:15:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2732 https://access.redhat.com/errata/RHSA-2021:2732
Comment 23 errata-xmlrpc 2021-07-20 21:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:2730 https://access.redhat.com/errata/RHSA-2021:2730
Comment 24 errata-xmlrpc 2021-07-20 21:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2719 https://access.redhat.com/errata/RHSA-2021:2719
Comment 25 errata-xmlrpc 2021-07-20 22:10:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2718 https://access.redhat.com/errata/RHSA-2021:2718
Comment 26 errata-xmlrpc 2021-07-20 22:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2727 https://access.redhat.com/errata/RHSA-2021:2727
Comment 27 errata-xmlrpc 2021-07-21 00:02:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:2731 https://access.redhat.com/errata/RHSA-2021:2731
Comment 28 errata-xmlrpc 2021-07-21 00:12:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2720 https://access.redhat.com/errata/RHSA-2021:2720
Comment 29 errata-xmlrpc 2021-07-21 00:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2729 https://access.redhat.com/errata/RHSA-2021:2729
Comment 30 errata-xmlrpc 2021-07-21 01:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725
Comment 31 errata-xmlrpc 2021-07-21 01:08:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726
Comment 32 errata-xmlrpc 2021-07-21 01:11:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2728 https://access.redhat.com/errata/RHSA-2021:2728
Comment 33 errata-xmlrpc 2021-07-21 14:09:24 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:2737 https://access.redhat.com/errata/RHSA-2021:2737
Comment 34 errata-xmlrpc 2021-07-22 15:06:51 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736
Note You need to log in before you can comment on or make changes to this bug.