cve/published/2024/CVE-2024-53237.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53237: Bluetooth: fix use-after-free in device_for_each_child()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: fix use-after-free in device_for_each_child()

 Syzbot has reported the following KASAN splat:

 BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0
 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980

 CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x100/0x190
  ? device_for_each_child+0x18f/0x1a0
  print_report+0x13a/0x4cb
  ? __virt_addr_valid+0x5e/0x590
  ? __phys_addr+0xc6/0x150
  ? device_for_each_child+0x18f/0x1a0
  kasan_report+0xda/0x110
  ? device_for_each_child+0x18f/0x1a0
  ? __pfx_dev_memalloc_noio+0x10/0x10
  device_for_each_child+0x18f/0x1a0
  ? __pfx_device_for_each_child+0x10/0x10
  pm_runtime_set_memalloc_noio+0xf2/0x180
  netdev_unregister_kobject+0x1ed/0x270
  unregister_netdevice_many_notify+0x123c/0x1d80
  ? __mutex_trylock_common+0xde/0x250
  ? __pfx_unregister_netdevice_many_notify+0x10/0x10
  ? trace_contention_end+0xe6/0x140
  ? __mutex_lock+0x4e7/0x8f0
  ? __pfx_lock_acquire.part.0+0x10/0x10
  ? rcu_is_watching+0x12/0xc0
  ? unregister_netdev+0x12/0x30
  unregister_netdevice_queue+0x30d/0x3f0
  ? __pfx_unregister_netdevice_queue+0x10/0x10
  ? __pfx_down_write+0x10/0x10
  unregister_netdev+0x1c/0x30
  bnep_session+0x1fb3/0x2ab0
  ? __pfx_bnep_session+0x10/0x10
  ? __pfx_lock_release+0x10/0x10
  ? __pfx_woken_wake_function+0x10/0x10
  ? __kthread_parkme+0x132/0x200
  ? __pfx_bnep_session+0x10/0x10
  ? kthread+0x13a/0x370
  ? __pfx_bnep_session+0x10/0x10
  kthread+0x2b7/0x370
  ? __pfx_kthread+0x10/0x10
  ret_from_fork+0x48/0x80
  ? __pfx_kthread+0x10/0x10
  ret_from_fork_asm+0x1a/0x30
  </TASK>

 Allocated by task 4974:
  kasan_save_stack+0x30/0x50
  kasan_save_track+0x14/0x30
  __kasan_kmalloc+0xaa/0xb0
  __kmalloc_noprof+0x1d1/0x440
  hci_alloc_dev_priv+0x1d/0x2820
  __vhci_create_device+0xef/0x7d0
  vhci_write+0x2c7/0x480
  vfs_write+0x6a0/0xfc0
  ksys_write+0x12f/0x260
  do_syscall_64+0xc7/0x250
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Freed by task 4979:
  kasan_save_stack+0x30/0x50
  kasan_save_track+0x14/0x30
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x4f/0x70
  kfree+0x141/0x490
  hci_release_dev+0x4d9/0x600
  bt_host_release+0x6a/0xb0
  device_release+0xa4/0x240
  kobject_put+0x1ec/0x5a0
  put_device+0x1f/0x30
  vhci_release+0x81/0xf0
  __fput+0x3f6/0xb30
  task_work_run+0x151/0x250
  do_exit+0xa79/0x2c30
  do_group_exit+0xd5/0x2a0
  get_signal+0x1fcd/0x2210
  arch_do_signal_or_restart+0x93/0x780
  syscall_exit_to_user_mode+0x140/0x290
  do_syscall_64+0xd4/0x250
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
 an underlying (kobject) reference counter is greater than 1. This
 means that reparenting (happened when the device is actually freed)
 is delayed and, during that delay, parent controller device (hciX)
 may be deleted. Since the latter may create a dangling pointer to
 freed parent, avoid that scenario by reparenting to NULL explicitly.

 The Linux kernel CVE team has assigned CVE-2024-53237 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.202 with commit 53d61daf35b1bbf3ae06e852ee107aa2f05b3776 and fixed in 5.10.231 with commit fb91ce37dc9a37ea23cf32b6d7b667004e93d4c5
 	Issue introduced in 5.15.140 with commit ba7088769800d9892a7e4f35c3137a5b3e65410b and fixed in 5.15.174 with commit a9584c897d1cba6265c78010bbb45ca5722c88bc
 	Issue introduced in 6.1.64 with commit 87624b1f9b781549e69f92db7ede012a21cec275 and fixed in 6.1.120 with commit 0f67ca2a80acf8b207240405b7f72d660665d3df
 	Issue introduced in 6.6.3 with commit 56a4fdde95ed98d864611155f6728983e199e198 and fixed in 6.6.64 with commit de5a44f351ca7efd9add9851b218f5353e2224b7
 	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.11.11 with commit 91e2a2e4d1336333804cd31162984f01ad8cc70f
 	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.12.2 with commit 7b277bd569bb6a2777f0014f84b4344f444fd49d
 	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.13 with commit 27aabf27fd014ae037cc179c61b0bee7cff55b3d
 	Issue introduced in 4.19.300 with commit 5c53afc766e07098429520b7677eaa164b593451
 	Issue introduced in 5.4.262 with commit 3c4236f1b2a715e878a06599fa8b0cc21f165d28
 	Issue introduced in 6.5.13 with commit fc666d1b47518a18519241cae213de1babd4a4ba

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53237
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/hci_sysfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fb91ce37dc9a37ea23cf32b6d7b667004e93d4c5
 	https://git.kernel.org/stable/c/a9584c897d1cba6265c78010bbb45ca5722c88bc
 	https://git.kernel.org/stable/c/0f67ca2a80acf8b207240405b7f72d660665d3df
 	https://git.kernel.org/stable/c/de5a44f351ca7efd9add9851b218f5353e2224b7
 	https://git.kernel.org/stable/c/91e2a2e4d1336333804cd31162984f01ad8cc70f
 	https://git.kernel.org/stable/c/7b277bd569bb6a2777f0014f84b4344f444fd49d
 	https://git.kernel.org/stable/c/27aabf27fd014ae037cc179c61b0bee7cff55b3d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53237: Bluetooth: fix use-after-free in device_for_each_child()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: fix use-after-free in device_for_each_child()

	Syzbot has reported the following KASAN splat:

	BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0
	Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980

	CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0x100/0x190
	? device_for_each_child+0x18f/0x1a0
	print_report+0x13a/0x4cb
	? __virt_addr_valid+0x5e/0x590
	? __phys_addr+0xc6/0x150
	? device_for_each_child+0x18f/0x1a0
	kasan_report+0xda/0x110
	? device_for_each_child+0x18f/0x1a0
	? __pfx_dev_memalloc_noio+0x10/0x10
	device_for_each_child+0x18f/0x1a0
	? __pfx_device_for_each_child+0x10/0x10
	pm_runtime_set_memalloc_noio+0xf2/0x180
	netdev_unregister_kobject+0x1ed/0x270
	unregister_netdevice_many_notify+0x123c/0x1d80
	? __mutex_trylock_common+0xde/0x250
	? __pfx_unregister_netdevice_many_notify+0x10/0x10
	? trace_contention_end+0xe6/0x140
	? __mutex_lock+0x4e7/0x8f0
	? __pfx_lock_acquire.part.0+0x10/0x10
	? rcu_is_watching+0x12/0xc0
	? unregister_netdev+0x12/0x30
	unregister_netdevice_queue+0x30d/0x3f0
	? __pfx_unregister_netdevice_queue+0x10/0x10
	? __pfx_down_write+0x10/0x10
	unregister_netdev+0x1c/0x30
	bnep_session+0x1fb3/0x2ab0
	? __pfx_bnep_session+0x10/0x10
	? __pfx_lock_release+0x10/0x10
	? __pfx_woken_wake_function+0x10/0x10
	? __kthread_parkme+0x132/0x200
	? __pfx_bnep_session+0x10/0x10
	? kthread+0x13a/0x370
	? __pfx_bnep_session+0x10/0x10
	kthread+0x2b7/0x370
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x48/0x80
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	Allocated by task 4974:
	kasan_save_stack+0x30/0x50
	kasan_save_track+0x14/0x30
	__kasan_kmalloc+0xaa/0xb0
	__kmalloc_noprof+0x1d1/0x440
	hci_alloc_dev_priv+0x1d/0x2820
	__vhci_create_device+0xef/0x7d0
	vhci_write+0x2c7/0x480
	vfs_write+0x6a0/0xfc0
	ksys_write+0x12f/0x260
	do_syscall_64+0xc7/0x250
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Freed by task 4979:
	kasan_save_stack+0x30/0x50
	kasan_save_track+0x14/0x30
	kasan_save_free_info+0x3b/0x60
	__kasan_slab_free+0x4f/0x70
	kfree+0x141/0x490
	hci_release_dev+0x4d9/0x600
	bt_host_release+0x6a/0xb0
	device_release+0xa4/0x240
	kobject_put+0x1ec/0x5a0
	put_device+0x1f/0x30
	vhci_release+0x81/0xf0
	__fput+0x3f6/0xb30
	task_work_run+0x151/0x250
	do_exit+0xa79/0x2c30
	do_group_exit+0xd5/0x2a0
	get_signal+0x1fcd/0x2210
	arch_do_signal_or_restart+0x93/0x780
	syscall_exit_to_user_mode+0x140/0x290
	do_syscall_64+0xd4/0x250
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
	an underlying (kobject) reference counter is greater than 1. This
	means that reparenting (happened when the device is actually freed)
	is delayed and, during that delay, parent controller device (hciX)
	may be deleted. Since the latter may create a dangling pointer to
	freed parent, avoid that scenario by reparenting to NULL explicitly.

	The Linux kernel CVE team has assigned CVE-2024-53237 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.202 with commit 53d61daf35b1bbf3ae06e852ee107aa2f05b3776 and fixed in 5.10.231 with commit fb91ce37dc9a37ea23cf32b6d7b667004e93d4c5
	Issue introduced in 5.15.140 with commit ba7088769800d9892a7e4f35c3137a5b3e65410b and fixed in 5.15.174 with commit a9584c897d1cba6265c78010bbb45ca5722c88bc
	Issue introduced in 6.1.64 with commit 87624b1f9b781549e69f92db7ede012a21cec275 and fixed in 6.1.120 with commit 0f67ca2a80acf8b207240405b7f72d660665d3df
	Issue introduced in 6.6.3 with commit 56a4fdde95ed98d864611155f6728983e199e198 and fixed in 6.6.64 with commit de5a44f351ca7efd9add9851b218f5353e2224b7
	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.11.11 with commit 91e2a2e4d1336333804cd31162984f01ad8cc70f
	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.12.2 with commit 7b277bd569bb6a2777f0014f84b4344f444fd49d
	Issue introduced in 6.7 with commit a85fb91e3d728bdfc80833167e8162cce8bc7004 and fixed in 6.13 with commit 27aabf27fd014ae037cc179c61b0bee7cff55b3d
	Issue introduced in 4.19.300 with commit 5c53afc766e07098429520b7677eaa164b593451
	Issue introduced in 5.4.262 with commit 3c4236f1b2a715e878a06599fa8b0cc21f165d28
	Issue introduced in 6.5.13 with commit fc666d1b47518a18519241cae213de1babd4a4ba

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53237
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/hci_sysfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fb91ce37dc9a37ea23cf32b6d7b667004e93d4c5
	https://git.kernel.org/stable/c/a9584c897d1cba6265c78010bbb45ca5722c88bc
	https://git.kernel.org/stable/c/0f67ca2a80acf8b207240405b7f72d660665d3df
	https://git.kernel.org/stable/c/de5a44f351ca7efd9add9851b218f5353e2224b7
	https://git.kernel.org/stable/c/91e2a2e4d1336333804cd31162984f01ad8cc70f
	https://git.kernel.org/stable/c/7b277bd569bb6a2777f0014f84b4344f444fd49d
	https://git.kernel.org/stable/c/27aabf27fd014ae037cc179c61b0bee7cff55b3d