From patchwork Tue Apr 30 23:18:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1929866 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VTbkD59yhz23rw for ; Wed, 1 May 2024 09:19:15 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s1wke-0002Ts-B6; Tue, 30 Apr 2024 23:19:08 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s1wka-0002Sq-RN for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2024 23:19:04 +0000 Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 987E83F15B for ; Tue, 30 Apr 2024 23:19:04 +0000 (UTC) Received: by mail-io1-f72.google.com with SMTP id ca18e2360f4ac-7decb47ceebso333686939f.2 for ; Tue, 30 Apr 2024 16:19:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714519143; x=1715123943; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0xr0N7nBIDBK0P99t65gUFaXQEyh/rLgako2TjjGTGY=; b=s5JRxi7/uGuI7znt0Qizya3rF2Zy+Un0ca2eVvpugahilippUZrWjhbnNN0O7LOX2I 5Gkqo4Q4A+nSETqQkNxFszH5VjlEfUGbPa+4zFI3kB/4HNCtbCDSnKmySOs4HQFpxN75 mYM12yVbsfVw7EfggytSi41UsAk4lBjreq62dS2gNyl3JSXEVqPq11tVskPO2u7jsupy M9pEd/31MoFkc7M3mptdr0naOi7e/Kl5lfRLDjugRT1P7T/kaTmXRvvlPr5dSTLZn5AQ DH+5zRHWTlKElUATc9OFHOYPQn/TvmQd7/LMSt/mKEkUcu/KsA/hE8cHWZRKenZDn8jH 8Lkg== X-Gm-Message-State: AOJu0YzhVGVvGBlfqBb5aI+VmSfhWm6sP2yO+5bH+7vHWy23JkFzYw+q rZo0dNLng8KHUQ/XbXPG+UNlOZSpbXOtmbQ8YlFF1UIwjFKN4OK/ri8cLsuM9iL/nmpvrm/KCdg RZ+f7drNkFS+54FOtY07iShCmHLJ0hGhmLq4nGoXVa9NuYAifKewfylt7iTgjOBwlnFLZoPSQW0 vtgKfOS5MHVA== X-Received: by 2002:a05:6602:1816:b0:7de:c3d5:36a6 with SMTP id t22-20020a056602181600b007dec3d536a6mr1395477ioh.2.1714519142970; Tue, 30 Apr 2024 16:19:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHpNQ9MDbBpDZ65RPF4SwnCoWlfRlc8cLV3JZuKtjyHBipmcr/+AT8bYoI+KHGKITdopJishw== X-Received: by 2002:a05:6602:1816:b0:7de:c3d5:36a6 with SMTP id t22-20020a056602181600b007dec3d536a6mr1395468ioh.2.1714519142591; Tue, 30 Apr 2024 16:19:02 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id jt12-20020a056638a08c00b00482fa811097sm7888001jab.51.2024.04.30.16.19.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 16:19:02 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 0/2] CVE-2024-26890 Date: Tue, 30 Apr 2024 18:18:59 -0500 Message-Id: <20240430231901.76648-1-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 [Fix] Mantic: Clean cherry-pick from prereq commit and linux-6.6.y Jammy: not-affected Focal: not-affected Bionic: not-affected Xenial: not-affected Trusty: not-affected [Test Case] Compile and boot tested. [Where problems could occur] This fix affects those who use the bluetooth driver for Realtek devices, an issue with this fix would be visable to the user via data corruption, unpredicted system behavior, or a system crash. Andrey Skvortsov (2): Bluetooth: hci_h5: Add ability to allocate memory for private data Bluetooth: btrtl: fix out of bounds memory access drivers/bluetooth/hci_h5.c | 5 ++++- drivers/bluetooth/hci_serdev.c | 9 +++++---- drivers/bluetooth/hci_uart.h | 12 +++++++++++- 3 files changed, 20 insertions(+), 6 deletions(-) Acked-by: Stefan Bader Acked-by: Tim Gardner