| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-50078: Bluetooth: Call iso_exit() on module unload |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| Bluetooth: Call iso_exit() on module unload |
| |
| If iso_init() has been called, iso_exit() must be called on module |
| unload. Without that, the struct proto that iso_init() registered with |
| proto_register() becomes invalid, which could cause unpredictable |
| problems later. In my case, with CONFIG_LIST_HARDENED and |
| CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually |
| triggers this BUG(): |
| |
| list_add corruption. next->prev should be prev (ffffffffb5355fd0), |
| but was 0000000000000068. (next=ffffffffc0a010d0). |
| ------------[ cut here ]------------ |
| kernel BUG at lib/list_debug.c:29! |
| Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI |
| CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1 |
| RIP: 0010:__list_add_valid_or_report+0x61/0xa0 |
| ... |
| __list_add_valid_or_report+0x61/0xa0 |
| proto_register+0x299/0x320 |
| hci_sock_init+0x16/0xc0 [bluetooth] |
| bt_init+0x68/0xd0 [bluetooth] |
| __pfx_bt_init+0x10/0x10 [bluetooth] |
| do_one_initcall+0x80/0x2f0 |
| do_init_module+0x8b/0x230 |
| __do_sys_init_module+0x15f/0x190 |
| do_syscall_64+0x68/0x110 |
| ... |
| |
| The Linux kernel CVE team has assigned CVE-2024-50078 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.1.114 with commit 4af7ba39a1a02e16ee8cd0d3b6c6657f51b8ad7a |
| Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.6.58 with commit 05f84d86169b2ebac185c5736a256823d42c425b |
| Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.11.5 with commit f905a7d95091e0d2605a3a1a157a9351f09ab2e1 |
| Issue introduced in 6.0 with commit ccf74f2390d60a2f9a75ef496d2564abb478f46a and fixed in 6.12 with commit d458cd1221e9e56da3b2cc5518ad3225caa91f20 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-50078 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/bluetooth/af_bluetooth.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/4af7ba39a1a02e16ee8cd0d3b6c6657f51b8ad7a |
| https://git.kernel.org/stable/c/05f84d86169b2ebac185c5736a256823d42c425b |
| https://git.kernel.org/stable/c/f905a7d95091e0d2605a3a1a157a9351f09ab2e1 |
| https://git.kernel.org/stable/c/d458cd1221e9e56da3b2cc5518ad3225caa91f20 |
