### [CVE-2024-36013](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36013) ![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue) ![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen) ![](https://img.shields.io/static/v1?label=Version&message=3.0%20&color=brightgreen) ![](https://img.shields.io/static/v1?label=Version&message=73ffa904b78287f6acf8797e040150aa26a4af4a%20&color=brightgreen) ![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue) ### Description In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()Extend a critical section to prevent chan from early freeing.Also make the l2cap_connect() return type void. Nothing is using thereturned value but it is ugly to return a potentially freed pointer.Making it void will help with backports because earlier kernels did usethe return value. Now the compile will break for kernels where thispatch is not a complete fix.Call stack summary:[use]l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free[free]l2cap_conn_del┌ mutex_lock(&conn->chan_lock);│ foreach chan in conn->chan_l: ... (2)│ l2cap_chan_put(chan);│ l2cap_chan_destroy│ kfree(chan) ... (3) <- chan freed└ mutex_unlock(&conn->chan_lock);==================================================================BUG: KASAN: slab-use-after-free in instrument_atomic_readinclude/linux/instrumented.h:68 [inline]BUG: KASAN: slab-use-after-free in _test_bitinclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0net/bluetooth/l2cap_core.c:4260Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 ### POC #### Reference No PoCs from references. #### Github - https://github.com/bygregonline/devsec-fastapi-report - https://github.com/fkie-cad/nvd-json-data-feeds - https://github.com/robertsirc/sle-bci-demo