| Message ID | 20240709184408.2020719-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-24860 | expand |
On Tue, Jul 09, 2024 at 02:44:07PM -0400, Yuxuan Luo wrote: > [Impact] > A race condition is found in net/bluetooth subsystem during a key > setting session due to atomicity violation. This data race can lead to > unexpected data inconsistency, harming user system's data integrity. > > [Backport] > Although the break commit is not included in the tree, we believe that > the race condition has long existed since the introduction of > le_min_key_size_write() and le_max_key_size_write() which were later > renamed to {min,max}_key_size_set(). Therefore, I manually applied the > fix made for hci_debugfs.c to smp.c since 18f81241b74f ("Bluetooth: Move > {min,max}_key_size debugfs into hci_debugfs_create_le") is yet to be > introduced. > > [Test] > Compiled only. > > [Where things could go wrong] > Bluetooth system may produce unexpected behaviour when pairing if > a regression occurs. > > Gui-Dong Han (1): > Bluetooth: Fix atomicity violation in {min,max}_key_size_set > > net/bluetooth/smp.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On Wed, Jul 10, 2024 at 2:44 AM Yuxuan Luo <yuxuan.luo@canonical.com> wrote: > > [Impact] > A race condition is found in net/bluetooth subsystem during a key > setting session due to atomicity violation. This data race can lead to > unexpected data inconsistency, harming user system's data integrity. > > [Backport] > Although the break commit is not included in the tree, we believe that > the race condition has long existed since the introduction of > le_min_key_size_write() and le_max_key_size_write() which were later > renamed to {min,max}_key_size_set(). Therefore, I manually applied the > fix made for hci_debugfs.c to smp.c since 18f81241b74f ("Bluetooth: Move > {min,max}_key_size debugfs into hci_debugfs_create_le") is yet to be > introduced. > > [Test] > Compiled only. > > [Where things could go wrong] > Bluetooth system may produce unexpected behaviour when pairing if > a regression occurs. > > Gui-Dong Han (1): > Bluetooth: Fix atomicity violation in {min,max}_key_size_set > > net/bluetooth/smp.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Chris Chiu <chris.chiu@canonical.com>
On 09.07.24 20:44, Yuxuan Luo wrote: > [Impact] > A race condition is found in net/bluetooth subsystem during a key > setting session due to atomicity violation. This data race can lead to > unexpected data inconsistency, harming user system's data integrity. > > [Backport] > Although the break commit is not included in the tree, we believe that > the race condition has long existed since the introduction of > le_min_key_size_write() and le_max_key_size_write() which were later > renamed to {min,max}_key_size_set(). Therefore, I manually applied the > fix made for hci_debugfs.c to smp.c since 18f81241b74f ("Bluetooth: Move > {min,max}_key_size debugfs into hci_debugfs_create_le") is yet to be > introduced. > > [Test] > Compiled only. > > [Where things could go wrong] > Bluetooth system may produce unexpected behaviour when pairing if > a regression occurs. > > Gui-Dong Han (1): > Bluetooth: Fix atomicity violation in {min,max}_key_size_set > > net/bluetooth/smp.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan
[Impact] A race condition is found in net/bluetooth subsystem during a key setting session due to atomicity violation. This data race can lead to unexpected data inconsistency, harming user system's data integrity. [Backport] Although the break commit is not included in the tree, we believe that the race condition has long existed since the introduction of le_min_key_size_write() and le_max_key_size_write() which were later renamed to {min,max}_key_size_set(). Therefore, I manually applied the fix made for hci_debugfs.c to smp.c since 18f81241b74f ("Bluetooth: Move {min,max}_key_size debugfs into hci_debugfs_create_le") is yet to be introduced. [Test] Compiled only. [Where things could go wrong] Bluetooth system may produce unexpected behaviour when pairing if a regression occurs. Gui-Dong Han (1): Bluetooth: Fix atomicity violation in {min,max}_key_size_set net/bluetooth/smp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)