CVE

CVE-2024-46680

Severity:
MEDIUM
Type:
Unavailable / Other
Publication date:
13/09/2024
Last modified:
23/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btnxpuart: Fix random crash seen while removing driver<br /> <br /> This fixes the random kernel crash seen while removing the driver, when<br /> running the load/unload test over multiple iterations.<br /> <br /> 1) modprobe btnxpuart<br /> 2) hciconfig hci0 reset<br /> 3) hciconfig (check hci0 interface up with valid BD address)<br /> 4) modprobe -r btnxpuart<br /> Repeat steps 1 to 4<br /> <br /> The ps_wakeup() call in btnxpuart_close() schedules the psdata-&gt;work(),<br /> which gets scheduled after module is removed, causing a kernel crash.<br /> <br /> This hidden issue got highlighted after enabling Power Save by default<br /> in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on<br /> startup)<br /> <br /> The new ps_cleanup() deasserts UART break immediately while closing<br /> serdev device, cancels any scheduled ps_work and destroys the ps_lock<br /> mutex.<br /> <br /> [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258<br /> [ 85.884624] Mem abort info:<br /> [ 85.884625] ESR = 0x0000000086000007<br /> [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits<br /> [ 85.884633] SET = 0, FnV = 0<br /> [ 85.884636] EA = 0, S1PTW = 0<br /> [ 85.884638] FSC = 0x07: level 3 translation fault<br /> [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000<br /> [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000<br /> [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP<br /> [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]<br /> [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1<br /> [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT)<br /> [ 85.936182] Workqueue: events 0xffffd4a61638f380<br /> [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 85.952817] pc : 0xffffd4a61638f258<br /> [ 85.952823] lr : 0xffffd4a61638f258<br /> [ 85.952827] sp : ffff8000084fbd70<br /> [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000<br /> [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305<br /> [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970<br /> [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000<br /> [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090<br /> [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139<br /> [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50<br /> [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8<br /> [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000<br /> [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000<br /> [ 85.977443] Call trace:<br /> [ 85.977446] 0xffffd4a61638f258<br /> [ 85.977451] 0xffffd4a61638f3e8<br /> [ 85.977455] process_one_work+0x1d4/0x330<br /> [ 85.977464] worker_thread+0x6c/0x430<br /> [ 85.977471] kthread+0x108/0x10c<br /> [ 85.977476] ret_from_fork+0x10/0x20<br /> [ 85.977488] Code: bad PC value<br /> [ 85.977491] ---[ end trace 0000000000000000 ]---<br /> <br /> Preset since v6.9.11

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4 (including) 6.6.49 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*