Bug 2173626 (CVE-2022-20566) - CVE-2022-20566 kernel: possible use after free due to improper locking in l2cap_chan_put of l2cap_core
Summary: CVE-2022-20566 kernel: possible use after free due to improper locking in l2c...
Keywords:
Status: NEW
Alias: CVE-2022-20566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2173627 2174433 2174434 2174435
Blocks: 2173148
TreeView+ depends on / blocked
 
Reported: 2023-02-27 14:40 UTC by Alex
Modified: 2024-02-07 13:03 UTC (History)
40 users (show)

Fixed In Version: Linux kernel 6.0-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel's Bluetooth functionality. A user could trigger a race condition while closing the connection. This issue may allow a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Alex 2023-02-27 14:40:23 UTC
A flaw found in the Linux Kernel bluetooth. In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. Happens during sock_close() when being called l2cap_chan_put(). This could lead to local escalation of privilege.
The issue actual if patch ef191aded58c5 "Bluetooth: Restore locking semantics when looking up L2CAP channels" already applied.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0be8347c623e0ac4202a1d4e0373882821f56b0

Comment 1 Alex 2023-02-27 14:40:50 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2173627]

Comment 4 Justin M. Forbes 2023-03-01 19:57:13 UTC
This was fixed for Fedora with the 5.18.16 stable kernel update.


Note You need to log in before you can comment on or make changes to this bug.