Bugzilla – Bug 1192394
VUL-0: CVE-2021-43400: bluez: use-after-free in gatt-database.c
Last modified: 2022-11-15 14:32:25 UTC
rh#2020523 A use-after-free in gatt-database.c can occur when a client disconnects during D-Bus processing of a WriteValue call. Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 References: https://bugzilla.redhat.com/show_bug.cgi?id=2020523 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43400 https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8
The bug was introduced by commit [0], present from version 5.40 to version 5.61 (included). This commit introduces a `struct btd_device *device;` in `struct pending_op` in the gatt-database.c file. The device pointer is the same for every pending operations. In the `write_setup_cb` function, there is a window where op->device can be freed by calling `pending_op_free`, which is done when a user disconnects. Consequently, the op->device dereferenced in `append_options` can point to a freed memory chunk, potentially containing sensitive data, which is then inserted into an internal dictionary. This is problematic if a user manages to read every value in the dictionary after having won the race condition. This issue is fixed by [1] in version 5.62. Affected codestreams are: - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP3:Update [0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f [1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8
SUSE-SU-2022:3687-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1186463,1188859,1192394,1193227,1193237 CVE References: CVE-2019-8921,CVE-2019-8922,CVE-2020-26558,CVE-2021-0129,CVE-2021-3658,CVE-2021-43400 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise Server for SAP 15 (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise Server 15-LTSS (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): bluez-5.48-150000.5.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): bluez-5.48-150000.5.41.1 SUSE Enterprise Storage 6 (src): bluez-5.48-150000.5.41.1 SUSE CaaS Platform 4.0 (src): bluez-5.48-150000.5.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3691-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1186463,1188859,1192394,1193227,1193237 CVE References: CVE-2019-8921,CVE-2019-8922,CVE-2020-26558,CVE-2021-0129,CVE-2021-3658,CVE-2021-43400 JIRA References: Sources used: SUSE Manager Server 4.1 (src): bluez-5.48-150200.13.17.1 SUSE Manager Retail Branch Server 4.1 (src): bluez-5.48-150200.13.17.1 SUSE Manager Proxy 4.1 (src): bluez-5.48-150200.13.17.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): bluez-5.48-150200.13.17.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): bluez-5.48-150200.13.17.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): bluez-5.48-150200.13.17.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): bluez-5.48-150200.13.17.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): bluez-5.48-150200.13.17.1 SUSE Enterprise Storage 7 (src): bluez-5.48-150200.13.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3981-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1188859,1192394 CVE References: CVE-2021-3658,CVE-2021-43400 JIRA References: Sources used: openSUSE Leap 15.3 (src): bluez-5.55-150300.3.14.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): bluez-5.55-150300.3.14.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): bluez-5.55-150300.3.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): bluez-5.55-150300.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.