| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52518: Bluetooth: hci_codec: Fix leaking content of local_codecs |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| Bluetooth: hci_codec: Fix leaking content of local_codecs |
| |
| The following memory leak can be observed when the controller supports |
| codecs which are stored in local_codecs list but the elements are never |
| freed: |
| |
| unreferenced object 0xffff88800221d840 (size 32): |
| comm "kworker/u3:0", pid 36, jiffies 4294898739 (age 127.060s) |
| hex dump (first 32 bytes): |
| f8 d3 02 03 80 88 ff ff 80 d8 21 02 80 88 ff ff ..........!..... |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
| backtrace: |
| [<ffffffffb324f557>] __kmalloc+0x47/0x120 |
| [<ffffffffb39ef37d>] hci_codec_list_add.isra.0+0x2d/0x160 |
| [<ffffffffb39ef643>] hci_read_codec_capabilities+0x183/0x270 |
| [<ffffffffb39ef9ab>] hci_read_supported_codecs+0x1bb/0x2d0 |
| [<ffffffffb39f162e>] hci_read_local_codecs_sync+0x3e/0x60 |
| [<ffffffffb39ff1b3>] hci_dev_open_sync+0x943/0x11e0 |
| [<ffffffffb396d55d>] hci_power_on+0x10d/0x3f0 |
| [<ffffffffb30c99b4>] process_one_work+0x404/0x800 |
| [<ffffffffb30ca134>] worker_thread+0x374/0x670 |
| [<ffffffffb30d9108>] kthread+0x188/0x1c0 |
| [<ffffffffb304db6b>] ret_from_fork+0x2b/0x50 |
| [<ffffffffb300206a>] ret_from_fork_asm+0x1a/0x30 |
| |
| The Linux kernel CVE team has assigned CVE-2023-52518 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.16 with commit 8961987f3f5fa2f2618e72304d013c8dd5e604a6 and fixed in 6.1.57 with commit 626535077ba9dc110787540d1fe24881094c15a1 |
| Issue introduced in 5.16 with commit 8961987f3f5fa2f2618e72304d013c8dd5e604a6 and fixed in 6.5.7 with commit eea5a8f0c3b7c884d2351e75fbdd0a3d7def5ae1 |
| Issue introduced in 5.16 with commit 8961987f3f5fa2f2618e72304d013c8dd5e604a6 and fixed in 6.6 with commit b938790e70540bf4f2e653dcd74b232494d06c8f |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52518 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/bluetooth/hci_core.c |
| net/bluetooth/hci_event.c |
| net/bluetooth/hci_sync.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/626535077ba9dc110787540d1fe24881094c15a1 |
| https://git.kernel.org/stable/c/eea5a8f0c3b7c884d2351e75fbdd0a3d7def5ae1 |
| https://git.kernel.org/stable/c/b938790e70540bf4f2e653dcd74b232494d06c8f |
