CVE-2022-49111

{"id": "CVE-2022-49111", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:48.470", "references": [{"url": "https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn->type is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n    BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n    Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n    CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n    5.17.0-rc5-00006-gda4022eeac1a #7\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n    rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n    Call Trace:\n     <TASK>\n     dump_stack_lvl+0x45/0x59\n     print_address_description.constprop.0+0x1f/0x150\n     kasan_report.cold+0x7f/0x11b\n     hci_send_acl+0xaba/0xc50\n     l2cap_do_send+0x23f/0x3d0\n     l2cap_chan_send+0xc06/0x2cc0\n     l2cap_sock_sendmsg+0x201/0x2b0\n     sock_sendmsg+0xdc/0x110\n     sock_write_iter+0x20f/0x370\n     do_iter_readv_writev+0x343/0x690\n     do_iter_write+0x132/0x640\n     vfs_writev+0x198/0x570\n     do_writev+0x202/0x280\n     do_syscall_64+0x38/0x90\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n    Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n    0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n    <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n    RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n    RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n    R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n    RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n    </TASK>\n    R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n    Allocated by task 45:\n        kasan_save_stack+0x1e/0x40\n        __kasan_kmalloc+0x81/0xa0\n        hci_chan_create+0x9a/0x2f0\n        l2cap_conn_add.part.0+0x1a/0xdc0\n        l2cap_connect_cfm+0x236/0x1000\n        le_conn_complete_evt+0x15a7/0x1db0\n        hci_le_conn_complete_evt+0x226/0x2c0\n        hci_le_meta_evt+0x247/0x450\n        hci_event_packet+0x61b/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    Freed by task 45:\n        kasan_save_stack+0x1e/0x40\n        kasan_set_track+0x21/0x30\n        kasan_set_free_info+0x20/0x30\n        __kasan_slab_free+0xfb/0x130\n        kfree+0xac/0x350\n        hci_conn_cleanup+0x101/0x6a0\n        hci_conn_del+0x27e/0x6c0\n        hci_disconn_phylink_complete_evt+0xe0/0x120\n        hci_event_packet+0x812/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    The buggy address belongs to the object at ffff88800c0f0500\n    The buggy address is located 24 bytes inside of\n    which belongs to the cache kmalloc-128 of size 128\n    The buggy address belongs to the page:\n    128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n    flags: 0x100000000000200(slab|node=0|zone=1)\n    page:00000000fe45cd86 refcount:1 mapcount:0\n    mapping:0000000000000000 index:0x0 pfn:0xc0f0\n    raw: 0000000000000000 0000000080100010 00000001ffffffff\n    0000000000000000\n    raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n    ffff8880078418c0\n    page dumped because: kasan: bad access detected\n    ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n    Memory state around the buggy address:\n    >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n    ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n    ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                   \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: Arreglar use-after-free en hci_send_acl Esto corrige el siguiente rastro causado por recibir HCI_EV_DISCONN_PHY_LINK_COMPLETE que llama a hci_conn_del sin verificar primero si conn-&gt;type es de hecho AMP_LINK y en caso de que lo sea, limpia adecuadamente las capas superiores con hci_disconn_cfm: ===================================================================== ERROR: KASAN: use-after-free en hci_send_acl+0xaba/0xc50 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff88800e404818 por la tarea bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd No contaminado 5.17.0-rc5-00006-gda4022eeac1a #7 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 01/04/2014 Seguimiento de llamadas:  dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b hci_send_acl+0xaba/0xc50 l2cap_do_send+0x23f/0x3d0 l2cap_chan_send+0xc06/0x2cc0 l2cap_sock_sendmsg+0x201/0x2b0 sock_sendmsg+0xdc/0x110 sock_write_iter+0x20f/0x370 do_iter_readv_writev+0x343/0x690 do_iter_write+0x132/0x640 vfs_writev+0x198/0x570 do_writev+0x202/0x280 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 C\u00f3digo: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 &lt;48&gt; 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001  R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 Asignado por la tarea 45: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 hci_chan_create+0x9a/0x2f0 l2cap_conn_add.part.0+0x1a/0xdc0 l2cap_connect_cfm+0x236/0x1000 le_conn_complete_evt+0x15a7/0x1db0 hci_le_conn_complete_evt+0x226/0x2c0 hci_le_meta_evt+0x247/0x450 hci_event_packet+0x61b/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 Liberado por la tarea 45: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 kfree+0xac/0x350 hci_conn_cleanup+0x101/0x6a0 hci_conn_del+0x27e/0x6c0 hci_disconn_phylink_complete_evt+0xe0/0x120 hci_event_packet+0x812/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 La direcci\u00f3n con errores pertenece al objeto en ffff88800c0f0500 La direcci\u00f3n con errores se encuentra a 24 bytes dentro del cual pertenece al cach\u00e9 kmalloc-128 de tama\u00f1o 128 La direcci\u00f3n con errores pertenece a la p\u00e1gina: regi\u00f3n de 128 bytes [ffff88800c0f0500, ffff88800c0f0580) flags: 0x100000000000200(slab|node=0|zone=1) page:00000000fe45cd86 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0f0 raw: 000000000000000 0000000080100010 00000001ffffffff 0000000000000000 sin procesar: 01000000000000200 ffffea00003a2c80 muerto000000000004 ffff8880078418c0 p\u00e1gina volcada porque: kasan: acceso incorrecto detectado ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc Estado de la memoria alrededor de la direcci\u00f3n con errores: &gt;ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc ---truncado---"}], "lastModified": "2025-03-25T16:20:37.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C86EFD13-93D4-4385-83E8-C665BE8F570F", "versionEndExcluding": "4.9.311"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D9B028C-6313-47F9-94B7-5F8122345E49", "versionEndExcluding": "4.14.276", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA28527A-11D3-41D2-9C4C-ECAC0D6A4A2D", "versionEndExcluding": "4.19.238", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CB6E8F5-C2B1-46F3-A807-0F6104AC340F", "versionEndExcluding": "5.4.189", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96258501-7BCE-4C55-8A38-8AC9D327626D", "versionEndExcluding": "5.10.111", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D25878D3-7761-4E9F-8919-E92CD53896E0", "versionEndExcluding": "5.15.34", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ABBBA66E-0244-4621-966B-9790AF1EEB00", "versionEndExcluding": "5.16.20", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE420AC7-1E59-4398-B84F-71F4B4337762", "versionEndExcluding": "5.17.3", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}