| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-56653: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| Bluetooth: btmtk: avoid UAF in btmtk_process_coredump |
| |
| hci_devcd_append may lead to the release of the skb, so it cannot be |
| accessed once it is called. |
| |
| ================================================================== |
| BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] |
| Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 |
| |
| CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c |
| Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 |
| Workqueue: events btusb_rx_work [btusb] |
| Call Trace: |
| <TASK> |
| dump_stack_lvl+0xfd/0x150 |
| print_report+0x131/0x780 |
| kasan_report+0x177/0x1c0 |
| btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] |
| btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] |
| btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] |
| worker_thread+0xe44/0x2cc0 |
| kthread+0x2ff/0x3a0 |
| ret_from_fork+0x51/0x80 |
| ret_from_fork_asm+0x1b/0x30 |
| </TASK> |
| |
| Allocated by task 82: |
| stack_trace_save+0xdc/0x190 |
| kasan_set_track+0x4e/0x80 |
| __kasan_slab_alloc+0x4e/0x60 |
| kmem_cache_alloc+0x19f/0x360 |
| skb_clone+0x132/0xf70 |
| btusb_recv_acl_mtk+0x104/0x1a0 [btusb] |
| btusb_rx_work+0x9e/0xe0 [btusb] |
| worker_thread+0xe44/0x2cc0 |
| kthread+0x2ff/0x3a0 |
| ret_from_fork+0x51/0x80 |
| ret_from_fork_asm+0x1b/0x30 |
| |
| Freed by task 1733: |
| stack_trace_save+0xdc/0x190 |
| kasan_set_track+0x4e/0x80 |
| kasan_save_free_info+0x28/0xb0 |
| ____kasan_slab_free+0xfd/0x170 |
| kmem_cache_free+0x183/0x3f0 |
| hci_devcd_rx+0x91a/0x2060 [bluetooth] |
| worker_thread+0xe44/0x2cc0 |
| kthread+0x2ff/0x3a0 |
| ret_from_fork+0x51/0x80 |
| ret_from_fork_asm+0x1b/0x30 |
| |
| The buggy address belongs to the object at ffff888033cfab40 |
| which belongs to the cache skbuff_head_cache of size 232 |
| The buggy address is located 112 bytes inside of |
| freed 232-byte region [ffff888033cfab40, ffff888033cfac28) |
| |
| The buggy address belongs to the physical page: |
| page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa |
| head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 |
| anon flags: 0x4000000000000840(slab|head|zone=1) |
| page_type: 0xffffffff() |
| raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 |
| raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 |
| page dumped because: kasan: bad access detected |
| |
| Memory state around the buggy address: |
| ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc |
| ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb |
| >ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ^ |
| ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc |
| ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ================================================================== |
| |
| Check if we need to call hci_devcd_complete before calling |
| hci_devcd_append. That requires that we check data->cd_info.cnt >= |
| MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we |
| increment data->cd_info.cnt only once the call to hci_devcd_append |
| succeeds. |
| |
| The Linux kernel CVE team has assigned CVE-2024-56653 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.6 with commit 0b70151328781a89c89e4cf3fae21fc0e98d869e and fixed in 6.6.67 with commit ecdcaea0e4057171ea4c3783e1cc1c900ad99125 |
| Issue introduced in 6.6 with commit 0b70151328781a89c89e4cf3fae21fc0e98d869e and fixed in 6.12.6 with commit d20ff1d3cb40479789368f502eedb0a00e4161fc |
| Issue introduced in 6.6 with commit 0b70151328781a89c89e4cf3fae21fc0e98d869e and fixed in 6.13 with commit b548f5e9456c568155499d9ebac675c0d7a296e8 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-56653 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/bluetooth/btmtk.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/ecdcaea0e4057171ea4c3783e1cc1c900ad99125 |
| https://git.kernel.org/stable/c/d20ff1d3cb40479789368f502eedb0a00e4161fc |
| https://git.kernel.org/stable/c/b548f5e9456c568155499d9ebac675c0d7a296e8 |
