CVE-2023-28464: Analyzing Use-After-Free Vulnerability in Linux Kernel's Bluetooth Subsystem

In this post, we will analyze a CVE (Common Vulnerabilities and Exposures) assigned the identifier CVE-2023-28464. The vulnerability resides in the hci_conn_cleanup function in the net/bluetooth/hci_conn.c file of the Linux kernel, affecting versions up to and including 6.2.9. The vulnerability allows an attacker to potentially perform a privilege escalation attack by causing a use-after-free condition that leads to a double free error.

Here is a list of original references where you can find more information about this vulnerability

- National Vulnerability Database (NVD)
- Linux kernel Git repository

Code Snippet

The following is a simple code snippet demonstrating the vulnerable function in the Linux kernel source code:

void hci_conn_cleanup(struct hci_conn *conn)
{
	struct hci_dev *hdev = conn->hdev;

	BT_DBG("conn %p", conn);

	if (conn->power_save)
		hci_proto_disconn_cfm(conn, x16);

	hci_dev_lock(hdev);

	hci_conn_del_sysfs(conn);

	hci_dev_unlock(hdev);

	hci_dev_put(hdev);             // Problematic call 1
	hci_conn_put(conn);            // Problematic call 2
}

Exploit Details

The hci_conn_cleanup() function is responsible for cleaning up resources after a Bluetooth connection has been terminated. The vulnerability stems from the fact that the Bluetooth subsystem allows for multiple connections with the same handle. This can lead to situations where multiple calls to hci_conn_cleanup() are made on the same connection simultaneously, leading to a use-after-free vulnerability.

The use-after-free occurs due to the following calls in the function

- hci_dev_put(hdev); (Problematic call 1): This function call reduces the reference counter of the hdev object, which may lead to the object being freed.
- hci_conn_put(conn); (Problematic call 2): This function call reduces the reference counter of the conn object, which may also lead to the object being freed.

Now, imagine a scenario where there are multiple simultaneous calls to hci_conn_cleanup() with the same conn object due to the same connection handle being shared. When both calls reach the problematic function calls, it would effectively free the same memory twice. This double free error could potentially allow an attacker to conduct a privilege escalation attack by gaining unintended access to kernel memory.

Mitigation

The Linux kernel developers have fixed the vulnerability by implementing proper reference counting and locking mechanisms around concurrent hci_conn_cleanup() calls. The fix ensures that the hci_dev_put() and hci_conn_put() functions are now called only once per connection, preventing the double free error from occurring.

Conclusion

In this post, we have explored the CVE-2023-28464 vulnerability, its impact, and how it has been mitigated in the Linux kernel. It is important for developers to be aware of such vulnerabilities, especially when dealing with low-level system resources and sharing them across multiple threads or connections. By keeping up to date with the latest security patches and following best practices, developers can help mitigate the risks associated with such vulnerabilities and protect user data and systems.

Timeline

Published on: 03/31/2023 16:15:00 UTC
Last modified on: 05/17/2023 20:15:00 UTC