CVE-2024-46680
Severity:
MEDIUM
Type:
Unavailable / Other
Publication date:
13/09/2024
Last modified:
23/09/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: btnxpuart: Fix random crash seen while removing driver<br />
<br />
This fixes the random kernel crash seen while removing the driver, when<br />
running the load/unload test over multiple iterations.<br />
<br />
1) modprobe btnxpuart<br />
2) hciconfig hci0 reset<br />
3) hciconfig (check hci0 interface up with valid BD address)<br />
4) modprobe -r btnxpuart<br />
Repeat steps 1 to 4<br />
<br />
The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(),<br />
which gets scheduled after module is removed, causing a kernel crash.<br />
<br />
This hidden issue got highlighted after enabling Power Save by default<br />
in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on<br />
startup)<br />
<br />
The new ps_cleanup() deasserts UART break immediately while closing<br />
serdev device, cancels any scheduled ps_work and destroys the ps_lock<br />
mutex.<br />
<br />
[ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258<br />
[ 85.884624] Mem abort info:<br />
[ 85.884625] ESR = 0x0000000086000007<br />
[ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits<br />
[ 85.884633] SET = 0, FnV = 0<br />
[ 85.884636] EA = 0, S1PTW = 0<br />
[ 85.884638] FSC = 0x07: level 3 translation fault<br />
[ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000<br />
[ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000<br />
[ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP<br />
[ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]<br />
[ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1<br />
[ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT)<br />
[ 85.936182] Workqueue: events 0xffffd4a61638f380<br />
[ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
[ 85.952817] pc : 0xffffd4a61638f258<br />
[ 85.952823] lr : 0xffffd4a61638f258<br />
[ 85.952827] sp : ffff8000084fbd70<br />
[ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000<br />
[ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305<br />
[ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970<br />
[ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000<br />
[ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090<br />
[ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139<br />
[ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50<br />
[ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8<br />
[ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000<br />
[ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000<br />
[ 85.977443] Call trace:<br />
[ 85.977446] 0xffffd4a61638f258<br />
[ 85.977451] 0xffffd4a61638f3e8<br />
[ 85.977455] process_one_work+0x1d4/0x330<br />
[ 85.977464] worker_thread+0x6c/0x430<br />
[ 85.977471] kthread+0x108/0x10c<br />
[ 85.977476] ret_from_fork+0x10/0x20<br />
[ 85.977488] Code: bad PC value<br />
[ 85.977491] ---[ end trace 0000000000000000 ]---<br />
<br />
Preset since v6.9.11
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4 (including) | 6.6.49 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page