{ "threat_severity" : "Moderate", "public_date" : "2024-12-27T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump", "id" : "2334538", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334538" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: btmtk: avoid UAF in btmtk_process_coredump\nhci_devcd_append may lead to the release of the skb, so it cannot be\naccessed once it is called.\n==================================================================\nBUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]\nRead of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82\nCPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c\nHardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024\nWorkqueue: events btusb_rx_work [btusb]\nCall Trace:\n\ndump_stack_lvl+0xfd/0x150\nprint_report+0x131/0x780\nkasan_report+0x177/0x1c0\nbtmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]\nbtusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\nbtusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\nworker_thread+0xe44/0x2cc0\nkthread+0x2ff/0x3a0\nret_from_fork+0x51/0x80\nret_from_fork_asm+0x1b/0x30\n\nAllocated by task 82:\nstack_trace_save+0xdc/0x190\nkasan_set_track+0x4e/0x80\n__kasan_slab_alloc+0x4e/0x60\nkmem_cache_alloc+0x19f/0x360\nskb_clone+0x132/0xf70\nbtusb_recv_acl_mtk+0x104/0x1a0 [btusb]\nbtusb_rx_work+0x9e/0xe0 [btusb]\nworker_thread+0xe44/0x2cc0\nkthread+0x2ff/0x3a0\nret_from_fork+0x51/0x80\nret_from_fork_asm+0x1b/0x30\nFreed by task 1733:\nstack_trace_save+0xdc/0x190\nkasan_set_track+0x4e/0x80\nkasan_save_free_info+0x28/0xb0\n____kasan_slab_free+0xfd/0x170\nkmem_cache_free+0x183/0x3f0\nhci_devcd_rx+0x91a/0x2060 [bluetooth]\nworker_thread+0xe44/0x2cc0\nkthread+0x2ff/0x3a0\nret_from_fork+0x51/0x80\nret_from_fork_asm+0x1b/0x30\nThe buggy address belongs to the object at ffff888033cfab40\nwhich belongs to the cache skbuff_head_cache of size 232\nThe buggy address is located 112 bytes inside of\nfreed 232-byte region [ffff888033cfab40, ffff888033cfac28)\nThe buggy address belongs to the physical page:\npage:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa\nhead:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0x4000000000000840(slab|head|zone=1)\npage_type: 0xffffffff()\nraw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001\nraw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\nffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc\nffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nCheck if we need to call hci_devcd_complete before calling\nhci_devcd_append. That requires that we check data->cd_info.cnt >=\nMTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we\nincrement data->cd_info.cnt only once the call to hci_devcd_append\nsucceeds." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56653\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56653\nhttps://lore.kernel.org/linux-cve-announce/2024122749-CVE-2024-56653-bb35@gregkh/T" ], "name" : "CVE-2024-56653", "csaw" : false }