| Message ID | 20240423212735.27988-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26801 | expand |
On 23.04.24 23:27, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > Bluetooth: Avoid potential use-after-free in hci_error_reset > > While handling the HCI_EV_HARDWARE_ERROR event, if the underlying > BT controller is not responding, the GPIO reset mechanism would > free the hci_dev and lead to a use-after-free in hci_error_reset. > > Here's the call trace observed on a ChromeOS device with Intel AX201: > queue_work_on+0x3e/0x6c > __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] > ? init_wait_entry+0x31/0x31 > __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] > hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] > process_one_work+0x1d8/0x33f > worker_thread+0x21b/0x373 > kthread+0x13a/0x152 > ? pr_cont_work+0x54/0x54 > ? kthread_blkcg+0x31/0x31 > ret_from_fork+0x1f/0x30 > > This patch holds the reference count on the hci_dev while processing > a HCI_EV_HARDWARE_ERROR event to avoid potential crash. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: fixed via stable team > Focal: pending > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use bluetooth when HCI (host controller > interface) is handling a connection error, an issue with this fix > would be visable to the user via data corruption or even a system > crash. > > Ying Hsu (1): > Bluetooth: Avoid potential use-after-free in hci_error_reset > > net/bluetooth/hci_core.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 23/04/2024 23:27, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > Bluetooth: Avoid potential use-after-free in hci_error_reset > > While handling the HCI_EV_HARDWARE_ERROR event, if the underlying > BT controller is not responding, the GPIO reset mechanism would > free the hci_dev and lead to a use-after-free in hci_error_reset. > > Here's the call trace observed on a ChromeOS device with Intel AX201: > queue_work_on+0x3e/0x6c > __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] > ? init_wait_entry+0x31/0x31 > __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] > hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] > process_one_work+0x1d8/0x33f > worker_thread+0x21b/0x373 > kthread+0x13a/0x152 > ? pr_cont_work+0x54/0x54 > ? kthread_blkcg+0x31/0x31 > ret_from_fork+0x1f/0x30 > > This patch holds the reference count on the hci_dev while processing > a HCI_EV_HARDWARE_ERROR event to avoid potential crash. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: fixed via stable team > Focal: pending > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use bluetooth when HCI (host controller > interface) is handling a connection error, an issue with this fix > would be visable to the user via data corruption or even a system > crash. > > Ying Hsu (1): > Bluetooth: Avoid potential use-after-free in hci_error_reset > > net/bluetooth/hci_core.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 23/04/2024 23:27, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > Bluetooth: Avoid potential use-after-free in hci_error_reset > > While handling the HCI_EV_HARDWARE_ERROR event, if the underlying > BT controller is not responding, the GPIO reset mechanism would > free the hci_dev and lead to a use-after-free in hci_error_reset. > > Here's the call trace observed on a ChromeOS device with Intel AX201: > queue_work_on+0x3e/0x6c > __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] > ? init_wait_entry+0x31/0x31 > __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] > hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] > process_one_work+0x1d8/0x33f > worker_thread+0x21b/0x373 > kthread+0x13a/0x152 > ? pr_cont_work+0x54/0x54 > ? kthread_blkcg+0x31/0x31 > ret_from_fork+0x1f/0x30 > > This patch holds the reference count on the hci_dev while processing > a HCI_EV_HARDWARE_ERROR event to avoid potential crash. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: fixed via stable team > Focal: pending > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use bluetooth when HCI (host controller > interface) is handling a connection error, an issue with this fix > would be visable to the user via data corruption or even a system > crash. > > Ying Hsu (1): > Bluetooth: Avoid potential use-after-free in hci_error_reset > > net/bluetooth/hci_core.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > Applied to mantic master-next branch. Thanks!
[Impact] In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash. [Fix] Mantic: Clean cherry-pick from linux-6.6.y Jammy: fixed via stable team Focal: pending Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: not-affected [Test Case] Compile and boot tested. [Where problems could occur] This fix affects those who use bluetooth when HCI (host controller interface) is handling a connection error, an issue with this fix would be visable to the user via data corruption or even a system crash. Ying Hsu (1): Bluetooth: Avoid potential use-after-free in hci_error_reset net/bluetooth/hci_core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)