| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/net/bluetooth/hci.h", |
| "include/net/bluetooth/hci_core.h", |
| "net/bluetooth/hci_conn.c", |
| "net/bluetooth/hci_event.c", |
| "net/bluetooth/iso.c", |
| "net/bluetooth/l2cap_core.c", |
| "net/bluetooth/sco.c" |
| ], |
| "versions": [ |
| { |
| "version": "6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf", |
| "lessThan": "ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf", |
| "lessThan": "dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf", |
| "lessThan": "d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf", |
| "lessThan": "4d3dbaa252257d20611c3647290e6171f1bbd6c8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf", |
| "lessThan": "a5b862c6a221459d54e494e88965b48dcfa6cc44", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/net/bluetooth/hci.h", |
| "include/net/bluetooth/hci_core.h", |
| "net/bluetooth/hci_conn.c", |
| "net/bluetooth/hci_event.c", |
| "net/bluetooth/iso.c", |
| "net/bluetooth/l2cap_core.c", |
| "net/bluetooth/sco.c" |
| ], |
| "versions": [ |
| { |
| "version": "2.6.39", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "2.6.39", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.32", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.8.11", |
| "lessThanOrEqual": "6.8.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.9.2", |
| "lessThanOrEqual": "6.9.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.9.4", |
| "lessThanOrEqual": "6.9.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.10", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.39", |
| "versionEndExcluding": "6.6.32" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.39", |
| "versionEndExcluding": "6.8.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.39", |
| "versionEndExcluding": "6.9.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.39", |
| "versionEndExcluding": "6.9.4" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.39", |
| "versionEndExcluding": "6.10" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44" |
| } |
| ], |
| "title": "Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-36968", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
