Cmnt[OEM-6.1]: [SRU][F/J/L/M][PATCH 0/1] CVE-2023-51779
Yuxuan Luo
yuxuan.luo at canonical.com
Fri Jan 5 23:23:55 UTC 2024
This patch also applies for Jammy-OEM-6.1 using Lunar's patch. Sorry the
inconvenience.
On 1/5/24 18:20, Yuxuan Luo wrote:
> [Impact]
> A vulneralbility has been found in Linux kernel
> net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl()
> because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and
> then frees it without holding lock_sock. A use-after-free for a skb
> occurs which leads to potential denial of service.
>
> [Backport]
> For Lunar and Mantic it is a clean cherry pick.
> For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42
> (“net: remove noblock parameter from skb_recv_datagram()”). However,
> this commit only removes the obsolete parameter, so ignore this commit
> and manually backport the lock.
>
> [Test]
> Compile and boot tested.
>
> [Potential Regression]
> Expect very low regression potential.
>
> Hyunwoo Kim (1):
> Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
>
> net/bluetooth/af_bluetooth.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
More information about the kernel-team
mailing list