Bug 2256822 (CVE-2023-51779) - CVE-2023-51779 kernel: bluetooth: bt_sock_ioctl race condition leads to use-after-free in bt_sock_recvmsg
Summary: CVE-2023-51779 kernel: bluetooth: bt_sock_ioctl race condition leads to use-a...
Keywords:
Status: NEW
Alias: CVE-2023-51779
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2024-21803 (view as bug list)
Depends On: 2256823
Blocks: 2256834 2261908
TreeView+ depends on / blocked
 
Reported: 2024-01-04 16:01 UTC by Mauro Matteo Cascella
Modified: 2024-06-12 02:45 UTC (History)
45 users (show)

Fixed In Version: kernel 6.7-rc7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer ("skb"). This flaw allows a local user to cause a denial of service condition or potential code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:19 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:07 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:14 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:14:59 UTC
Red Hat Product Errata RHSA-2024:2950 0 None None None 2024-05-22 09:15:34 UTC
Red Hat Product Errata RHSA-2024:3138 0 None None None 2024-05-22 09:52:41 UTC
Red Hat Product Errata RHSA-2024:3854 0 None None None 2024-06-12 01:40:27 UTC
Red Hat Product Errata RHSA-2024:3855 0 None None None 2024-06-12 01:53:46 UTC
Red Hat Product Errata RHSA-2024:3859 0 None None None 2024-06-12 02:45:09 UTC

Description Mauro Matteo Cascella 2024-01-04 16:01:51 UTC
A flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer ("skb"). A local user could exploit this vulnerability to cause a denial of service condition or potential code execution.

Upstream fix:
https://github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768

Comment 1 Mauro Matteo Cascella 2024-01-04 16:02:20 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2256823]

Comment 3 Justin M. Forbes 2024-01-10 19:52:35 UTC
This was fixed for Fedora with the 6.6.9 stable kernel updates.

Comment 7 Alex 2024-04-25 16:21:37 UTC
*** Bug 2261903 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2024-04-30 10:14:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 9 errata-xmlrpc 2024-05-22 09:15:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950

Comment 10 errata-xmlrpc 2024-05-22 09:52:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138

Comment 13 errata-xmlrpc 2024-06-12 01:40:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3854 https://access.redhat.com/errata/RHSA-2024:3854

Comment 14 errata-xmlrpc 2024-06-12 01:53:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3855 https://access.redhat.com/errata/RHSA-2024:3855

Comment 15 errata-xmlrpc 2024-06-12 02:45:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:3859 https://access.redhat.com/errata/RHSA-2024:3859


Note You need to log in before you can comment on or make changes to this bug.