Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-54191.json
blob: 7d4bc595fda79a6a217c512cd4adbc0c81a655a1 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[ 561.670344] ======================================================\n[ 561.670346] WARNING: possible circular locking dependency detected\n[ 561.670349] 6.12.0-rc6+ #26 Not tainted\n[ 561.670351] ------------------------------------------------------\n[ 561.670353] iso-tester/3289 is trying to acquire lock:\n[ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3},\n at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670405]\n but task is already holding lock:\n[ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[ 561.670450]\n which lock already depends on the new lock.\n\n[ 561.670452]\n the existing dependency chain (in reverse order) is:\n[ 561.670453]\n -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[ 561.670458] lock_acquire+0x7c/0xc0\n[ 561.670463] lock_sock_nested+0x3b/0xf0\n[ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth]\n[ 561.670547] do_accept+0x3dd/0x610\n[ 561.670550] __sys_accept4+0xd8/0x170\n[ 561.670553] __x64_sys_accept+0x74/0xc0\n[ 561.670556] x64_sys_call+0x17d6/0x25f0\n[ 561.670559] do_syscall_64+0x87/0x150\n[ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670567]\n -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[ 561.670571] lock_acquire+0x7c/0xc0\n[ 561.670574] lock_sock_nested+0x3b/0xf0\n[ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth]\n[ 561.670617] __sys_listen_socket+0xef/0x130\n[ 561.670620] __x64_sys_listen+0xe1/0x190\n[ 561.670623] x64_sys_call+0x2517/0x25f0\n[ 561.670626] do_syscall_64+0x87/0x150\n[ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670632]\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n[ 561.670636] __lock_acquire+0x32ad/0x6ab0\n[ 561.670639] lock_acquire.part.0+0x118/0x360\n[ 561.670642] lock_acquire+0x7c/0xc0\n[ 561.670644] __mutex_lock+0x18d/0x12f0\n[ 561.670647] mutex_lock_nested+0x1b/0x30\n[ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[ 561.670722] sock_recvmsg+0x1d5/0x240\n[ 561.670725] sock_read_iter+0x27d/0x470\n[ 561.670727] vfs_read+0x9a0/0xd30\n[ 561.670731] ksys_read+0x1a8/0x250\n[ 561.670733] __x64_sys_read+0x72/0xc0\n[ 561.670736] x64_sys_call+0x1b12/0x25f0\n[ 561.670738] do_syscall_64+0x87/0x150\n[ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670744]\n other info that might help us debug this:\n\n[ 561.670745] Chain exists of:\n&hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH\n\n[ 561.670751] Possible unsafe locking scenario:\n\n[ 561.670753] CPU0 CPU1\n[ 561.670754] ---- ----\n[ 561.670756] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670758] lock(sk_lock\n AF_BLUETOOTH-BTPROTO_ISO);\n[ 561.670761] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670764] lock(&hdev->lock);\n[ 561.670767]\n *** DEADLOCK ***"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/bluetooth/iso.c"
],
"versions": [
{
"version": "1360e5b6ce63d63d23223a659ca2bbafa30a53aa",
"lessThan": "cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5",
"status": "affected",
"versionType": "git"
},
{
"version": "07a9342b94a91b306ed1cf6aa8254aea210764c9",
"lessThan": "7a17308c17880d259105f6e591eb1bc77b9612f0",
"status": "affected",
"versionType": "git"
},
{
"version": "bfec1e55314896bf4a4cfdb3a9ad4872be9f06ed",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/bluetooth/iso.c"
],
"versions": [
{
"version": "6.12.2",
"lessThan": "6.12.6",
"status": "affected",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.2",
"versionEndExcluding": "6.12.6"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5"
},
{
"url": "https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0"
}
],
"title": "Bluetooth: iso: Fix circular lock in iso_conn_big_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-54191",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}