cve/published/2024/CVE-2024-44962.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44962: Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

 When unload the btnxpuart driver, its associated timer will be deleted.
 If the timer happens to be modified at this moment, it leads to the
 kernel call this timer even after the driver unloaded, resulting in
 kernel panic.
 Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming.

 panic log:
   Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
   Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic   snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil   snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded:   btnxpuart]
   CPU: 5 PID: 723 Comm: memtester Tainted: G           O       6.6.23-lts-next-06207-g4aef2658ac28 #1
   Hardware name: NXP i.MX95 19X19 board (DT)
   pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   pc : 0xffff80007a2cf464
   lr : call_timer_fn.isra.0+0x24/0x80
 ...
   Call trace:
    0xffff80007a2cf464
    __run_timers+0x234/0x280
    run_timer_softirq+0x20/0x40
    __do_softirq+0x100/0x26c
    ____do_softirq+0x10/0x1c
    call_on_irq_stack+0x24/0x4c
    do_softirq_own_stack+0x1c/0x2c
    irq_exit_rcu+0xc0/0xdc
    el0_interrupt+0x54/0xd8
    __el0_irq_handler_common+0x18/0x24
    el0t_64_irq_handler+0x10/0x1c
    el0t_64_irq+0x190/0x194
   Code: ???????? ???????? ???????? ???????? (????????)
   ---[ end trace 0000000000000000 ]---
   Kernel panic - not syncing: Oops: Fatal exception in interrupt
   SMP: stopping secondary CPUs
   Kernel Offset: disabled
   CPU features: 0x0,c0000000,40028143,1000721b
   Memory Limit: none
   ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

 The Linux kernel CVE team has assigned CVE-2024-44962 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.6.46 with commit 4d9adcb94d55e9be8a3e464d9f2ff7d27e2ed016
 	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.10.5 with commit 28bbb5011a9723700006da67bdb57ab6a914452b
 	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.11 with commit 0d0df1e750bac0fdaa77940e711c1625cff08d33

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44962
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/bluetooth/btnxpuart.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4d9adcb94d55e9be8a3e464d9f2ff7d27e2ed016
 	https://git.kernel.org/stable/c/28bbb5011a9723700006da67bdb57ab6a914452b
 	https://git.kernel.org/stable/c/0d0df1e750bac0fdaa77940e711c1625cff08d33
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44962: Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

	When unload the btnxpuart driver, its associated timer will be deleted.
	If the timer happens to be modified at this moment, it leads to the
	kernel call this timer even after the driver unloaded, resulting in
	kernel panic.
	Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming.

	panic log:
	Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
	Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded: btnxpuart]
	CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1
	Hardware name: NXP i.MX95 19X19 board (DT)
	pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : 0xffff80007a2cf464
	lr : call_timer_fn.isra.0+0x24/0x80
	...
	Call trace:
	0xffff80007a2cf464
	__run_timers+0x234/0x280
	run_timer_softirq+0x20/0x40
	__do_softirq+0x100/0x26c
	____do_softirq+0x10/0x1c
	call_on_irq_stack+0x24/0x4c
	do_softirq_own_stack+0x1c/0x2c
	irq_exit_rcu+0xc0/0xdc
	el0_interrupt+0x54/0xd8
	__el0_irq_handler_common+0x18/0x24
	el0t_64_irq_handler+0x10/0x1c
	el0t_64_irq+0x190/0x194
	Code: ???????? ???????? ???????? ???????? (????????)
	---[ end trace 0000000000000000 ]---
	Kernel panic - not syncing: Oops: Fatal exception in interrupt
	SMP: stopping secondary CPUs
	Kernel Offset: disabled
	CPU features: 0x0,c0000000,40028143,1000721b
	Memory Limit: none
	---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

	The Linux kernel CVE team has assigned CVE-2024-44962 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.6.46 with commit 4d9adcb94d55e9be8a3e464d9f2ff7d27e2ed016
	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.10.5 with commit 28bbb5011a9723700006da67bdb57ab6a914452b
	Issue introduced in 6.4 with commit 689ca16e523278470c38832a3010645a78c544d8 and fixed in 6.11 with commit 0d0df1e750bac0fdaa77940e711c1625cff08d33

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44962
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/bluetooth/btnxpuart.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4d9adcb94d55e9be8a3e464d9f2ff7d27e2ed016
	https://git.kernel.org/stable/c/28bbb5011a9723700006da67bdb57ab6a914452b
	https://git.kernel.org/stable/c/0d0df1e750bac0fdaa77940e711c1625cff08d33