References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.

https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3

https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1

https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b

https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e

https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361