CVE-2023-52830 in Linuxinfo

Summary

by MITRE • 05/21/2024

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix double free in hci_conn_cleanup

syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow:

hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name)

hci_dev_put: ... kfree(name)

hci_conn_put: put_device ... kfree(name)

This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.

This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures.

This fixes CVE-2023-28464.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 01/06/2025

The vulnerability described represents a critical double free condition within the Linux kernel's Bluetooth subsystem, specifically affecting the HCI (Host Controller Interface) connection management functions. This issue manifests in the hci_conn_cleanup function where improper resource management leads to memory corruption that can be exploited by malicious actors. The flaw stems from redundant object deallocation operations that occur when the system attempts to release the same memory structure multiple times, creating a scenario where freed memory is accessed again, potentially leading to arbitrary code execution or system instability.

The technical implementation of this vulnerability involves a complex interplay between reference counting mechanisms and kernel object lifecycle management. When hci_conn_cleanup executes, it first calls hci_conn_del_sysfs which triggers a chain of operations including kobject_put and kref_put that ultimately lead to kfree operations on the same memory region. Subsequently, the function attempts to call hci_dev_put and hci_conn_put functions on what is already freed memory, causing the double free condition. This pattern violates fundamental memory safety principles and creates opportunities for attackers to manipulate kernel memory layout through carefully crafted Bluetooth communications.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation and persistent system compromise. The use-after-free condition can be exploited to overwrite critical kernel data structures, allowing attackers to gain elevated privileges or execute arbitrary code with kernel-level access. This type of vulnerability is particularly dangerous in embedded systems and IoT devices that rely heavily on Bluetooth connectivity, as it can provide a foothold for broader network infiltration. The vulnerability affects the core Bluetooth stack functionality and can result in complete system compromise when exploited successfully.

The mitigation strategy implemented involves removing redundant function calls from the hci_conn_cleanup function while also addressing reference counting inconsistencies in related sysfs operations. This patch resolves the immediate double free issue by ensuring objects are freed exactly once through the established cleanup path, specifically eliminating the hci_dev_put and hci_conn_put calls that were causing the duplicate deallocation. Additionally, the fix strengthens the reference counting logic in hci_conn_add_sysfs and hci_conn_del_sysfs functions to properly handle device_add() failures, which prevents potential race conditions and ensures consistent resource management throughout the connection lifecycle.

This vulnerability aligns with CWE-415: Double Free and CWE-416: Use After Free categories, representing classic memory safety issues that have plagued kernel codebases for decades. From an ATT&CK framework perspective, this vulnerability maps to T1059.007: Command and Scripting Interpreter: Python and potentially T1543.003: Create or Modify System Process: Windows Service, though the latter is more relevant to the exploitation vector than the actual vulnerability itself. The patch demonstrates proper kernel security practices by addressing both the immediate memory corruption issue and the underlying reference counting implementation flaws that could lead to similar issues in other code paths. The fix exemplifies defensive programming principles that emphasize single responsibility for resource deallocation and robust error handling in kernel subsystems where reliability is paramount.

Reservation

05/21/2024

Disclosure

05/21/2024

Moderation

revoked

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!