cve/published/2024/CVE-2024-50077.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50077: Bluetooth: ISO: Fix multiple init when debugfs is disabled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: ISO: Fix multiple init when debugfs is disabled

 If bt_debugfs is not created successfully, which happens if either
 CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()
 returns early and does not set iso_inited to true. This means that a
 subsequent call to iso_init() will result in duplicate calls to
 proto_register(), bt_sock_register(), etc.

 With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the
 duplicate call to proto_register() triggers this BUG():

   list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,
     next=ffffffffc0b280d0.
   ------------[ cut here ]------------
   kernel BUG at lib/list_debug.c:35!
   Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
   CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1
   RIP: 0010:__list_add_valid_or_report+0x9a/0xa0
   ...
     __list_add_valid_or_report+0x9a/0xa0
     proto_register+0x2b5/0x340
     iso_init+0x23/0x150 [bluetooth]
     set_iso_socket_func+0x68/0x1b0 [bluetooth]
     kmem_cache_free+0x308/0x330
     hci_sock_sendmsg+0x990/0x9e0 [bluetooth]
     __sock_sendmsg+0x7b/0x80
     sock_write_iter+0x9a/0x110
     do_iter_readv_writev+0x11d/0x220
     vfs_writev+0x180/0x3e0
     do_writev+0xca/0x100
   ...

 This change removes the early return. The check for iso_debugfs being
 NULL was unnecessary, it is always NULL when iso_inited is false.

 The Linux kernel CVE team has assigned CVE-2024-50077 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.1.114 with commit fa4b832c5a6ec35023a1b997cf658c436619c752
 	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.6.58 with commit 8fb8e912afb4c47dec12ea9a5853e7a8db95816f
 	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.11.5 with commit adf1b179c2ff8073c24bf87e5a605fcc5a09798b
 	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.12 with commit a9b7b535ba192c6b77e6c15a4c82d853163eab8c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50077
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/iso.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fa4b832c5a6ec35023a1b997cf658c436619c752
 	https://git.kernel.org/stable/c/8fb8e912afb4c47dec12ea9a5853e7a8db95816f
 	https://git.kernel.org/stable/c/adf1b179c2ff8073c24bf87e5a605fcc5a09798b
 	https://git.kernel.org/stable/c/a9b7b535ba192c6b77e6c15a4c82d853163eab8c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50077: Bluetooth: ISO: Fix multiple init when debugfs is disabled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: ISO: Fix multiple init when debugfs is disabled

	If bt_debugfs is not created successfully, which happens if either
	CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()
	returns early and does not set iso_inited to true. This means that a
	subsequent call to iso_init() will result in duplicate calls to
	proto_register(), bt_sock_register(), etc.

	With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the
	duplicate call to proto_register() triggers this BUG():

	list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,
	next=ffffffffc0b280d0.
	------------[ cut here ]------------
	kernel BUG at lib/list_debug.c:35!
	Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
	CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1
	RIP: 0010:__list_add_valid_or_report+0x9a/0xa0
	...
	__list_add_valid_or_report+0x9a/0xa0
	proto_register+0x2b5/0x340
	iso_init+0x23/0x150 [bluetooth]
	set_iso_socket_func+0x68/0x1b0 [bluetooth]
	kmem_cache_free+0x308/0x330
	hci_sock_sendmsg+0x990/0x9e0 [bluetooth]
	__sock_sendmsg+0x7b/0x80
	sock_write_iter+0x9a/0x110
	do_iter_readv_writev+0x11d/0x220
	vfs_writev+0x180/0x3e0
	do_writev+0xca/0x100
	...

	This change removes the early return. The check for iso_debugfs being
	NULL was unnecessary, it is always NULL when iso_inited is false.

	The Linux kernel CVE team has assigned CVE-2024-50077 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.1.114 with commit fa4b832c5a6ec35023a1b997cf658c436619c752
	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.6.58 with commit 8fb8e912afb4c47dec12ea9a5853e7a8db95816f
	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.11.5 with commit adf1b179c2ff8073c24bf87e5a605fcc5a09798b
	Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.12 with commit a9b7b535ba192c6b77e6c15a4c82d853163eab8c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50077
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/iso.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fa4b832c5a6ec35023a1b997cf658c436619c752
	https://git.kernel.org/stable/c/8fb8e912afb4c47dec12ea9a5853e7a8db95816f
	https://git.kernel.org/stable/c/adf1b179c2ff8073c24bf87e5a605fcc5a09798b
	https://git.kernel.org/stable/c/a9b7b535ba192c6b77e6c15a4c82d853163eab8c