| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-54191: Bluetooth: iso: Fix circular lock in iso_conn_big_sync |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| Bluetooth: iso: Fix circular lock in iso_conn_big_sync |
| |
| This fixes the circular locking dependency warning below, by reworking |
| iso_sock_recvmsg, to ensure that the socket lock is always released |
| before calling a function that locks hdev. |
| |
| [ 561.670344] ====================================================== |
| [ 561.670346] WARNING: possible circular locking dependency detected |
| [ 561.670349] 6.12.0-rc6+ #26 Not tainted |
| [ 561.670351] ------------------------------------------------------ |
| [ 561.670353] iso-tester/3289 is trying to acquire lock: |
| [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, |
| at: iso_conn_big_sync+0x73/0x260 [bluetooth] |
| [ 561.670405] |
| but task is already holding lock: |
| [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, |
| at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] |
| [ 561.670450] |
| which lock already depends on the new lock. |
| |
| [ 561.670452] |
| the existing dependency chain (in reverse order) is: |
| [ 561.670453] |
| -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: |
| [ 561.670458] lock_acquire+0x7c/0xc0 |
| [ 561.670463] lock_sock_nested+0x3b/0xf0 |
| [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] |
| [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] |
| [ 561.670547] do_accept+0x3dd/0x610 |
| [ 561.670550] __sys_accept4+0xd8/0x170 |
| [ 561.670553] __x64_sys_accept+0x74/0xc0 |
| [ 561.670556] x64_sys_call+0x17d6/0x25f0 |
| [ 561.670559] do_syscall_64+0x87/0x150 |
| [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| [ 561.670567] |
| -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: |
| [ 561.670571] lock_acquire+0x7c/0xc0 |
| [ 561.670574] lock_sock_nested+0x3b/0xf0 |
| [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] |
| [ 561.670617] __sys_listen_socket+0xef/0x130 |
| [ 561.670620] __x64_sys_listen+0xe1/0x190 |
| [ 561.670623] x64_sys_call+0x2517/0x25f0 |
| [ 561.670626] do_syscall_64+0x87/0x150 |
| [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| [ 561.670632] |
| -> #0 (&hdev->lock){+.+.}-{3:3}: |
| [ 561.670636] __lock_acquire+0x32ad/0x6ab0 |
| [ 561.670639] lock_acquire.part.0+0x118/0x360 |
| [ 561.670642] lock_acquire+0x7c/0xc0 |
| [ 561.670644] __mutex_lock+0x18d/0x12f0 |
| [ 561.670647] mutex_lock_nested+0x1b/0x30 |
| [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] |
| [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] |
| [ 561.670722] sock_recvmsg+0x1d5/0x240 |
| [ 561.670725] sock_read_iter+0x27d/0x470 |
| [ 561.670727] vfs_read+0x9a0/0xd30 |
| [ 561.670731] ksys_read+0x1a8/0x250 |
| [ 561.670733] __x64_sys_read+0x72/0xc0 |
| [ 561.670736] x64_sys_call+0x1b12/0x25f0 |
| [ 561.670738] do_syscall_64+0x87/0x150 |
| [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| [ 561.670744] |
| other info that might help us debug this: |
| |
| [ 561.670745] Chain exists of: |
| &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH |
| |
| [ 561.670751] Possible unsafe locking scenario: |
| |
| [ 561.670753] CPU0 CPU1 |
| [ 561.670754] ---- ---- |
| [ 561.670756] lock(sk_lock-AF_BLUETOOTH); |
| [ 561.670758] lock(sk_lock |
| AF_BLUETOOTH-BTPROTO_ISO); |
| [ 561.670761] lock(sk_lock-AF_BLUETOOTH); |
| [ 561.670764] lock(&hdev->lock); |
| [ 561.670767] |
| *** DEADLOCK *** |
| |
| The Linux kernel CVE team has assigned CVE-2024-54191 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.12.2 with commit 1360e5b6ce63d63d23223a659ca2bbafa30a53aa and fixed in 6.12.6 with commit cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5 |
| Issue introduced in 6.11.11 with commit bfec1e55314896bf4a4cfdb3a9ad4872be9f06ed |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-54191 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/bluetooth/iso.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5 |
| https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0 |
