cve/published/2024/CVE-2024-50255.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50255: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

 Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.

 __hci_cmd_sync_sk() returns NULL if a command returns a status event.
 However, it also returns NULL where an opcode doesn't exist in the
 hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]
 for unknown opcodes.
 This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as
 there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes
 status = skb->data[0].

 KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
 CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 Workqueue: hci7 hci_power_on
 RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
 FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
 PKRU: 55555554
 Call Trace:
  <TASK>
  hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
  hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
  hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
  hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
  hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
  hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
  hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
  hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
  process_one_work kernel/workqueue.c:3267 [inline]
  process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
  worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
  kthread+0x2cb/0x360 kernel/kthread.c:388
  ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 The Linux kernel CVE team has assigned CVE-2024-50255 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.1.116 with commit 5d9054b9f769a8e124c4fa02072437c864726baf
 	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.6.60 with commit 1f1764466c33a4466363b821a25cd65c46a5a793
 	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.11.7 with commit 48d7c24b7ef6417c68f206566364db1f8087bb23
 	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.12 with commit 1e67d8641813f1876a42eeb4f532487b8a7fb0a8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50255
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/hci_sync.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5d9054b9f769a8e124c4fa02072437c864726baf
 	https://git.kernel.org/stable/c/1f1764466c33a4466363b821a25cd65c46a5a793
 	https://git.kernel.org/stable/c/48d7c24b7ef6417c68f206566364db1f8087bb23
 	https://git.kernel.org/stable/c/1e67d8641813f1876a42eeb4f532487b8a7fb0a8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50255: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

	Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.

	__hci_cmd_sync_sk() returns NULL if a command returns a status event.
	However, it also returns NULL where an opcode doesn't exist in the
	hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]
	for unknown opcodes.
	This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as
	there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes
	status = skb->data[0].

	KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
	CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	Workqueue: hci7 hci_power_on
	RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
	Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
	RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
	RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
	RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
	RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
	R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
	R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
	FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
	hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
	hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
	hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
	hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
	hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
	hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
	hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
	process_one_work kernel/workqueue.c:3267 [inline]
	process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
	worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
	kthread+0x2cb/0x360 kernel/kthread.c:388
	ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	The Linux kernel CVE team has assigned CVE-2024-50255 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.1.116 with commit 5d9054b9f769a8e124c4fa02072437c864726baf
	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.6.60 with commit 1f1764466c33a4466363b821a25cd65c46a5a793
	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.11.7 with commit 48d7c24b7ef6417c68f206566364db1f8087bb23
	Issue introduced in 5.17 with commit abfeea476c68afea54c9c050a2d3b19d5d2ee873 and fixed in 6.12 with commit 1e67d8641813f1876a42eeb4f532487b8a7fb0a8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50255
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/hci_sync.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5d9054b9f769a8e124c4fa02072437c864726baf
	https://git.kernel.org/stable/c/1f1764466c33a4466363b821a25cd65c46a5a793
	https://git.kernel.org/stable/c/48d7c24b7ef6417c68f206566364db1f8087bb23
	https://git.kernel.org/stable/c/1e67d8641813f1876a42eeb4f532487b8a7fb0a8