Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-54191

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/01/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: iso: Fix circular lock in iso_conn_big_sync<br /> <br /> This fixes the circular locking dependency warning below, by reworking<br /> iso_sock_recvmsg, to ensure that the socket lock is always released<br /> before calling a function that locks hdev.<br /> <br /> [ 561.670344] ======================================================<br /> [ 561.670346] WARNING: possible circular locking dependency detected<br /> [ 561.670349] 6.12.0-rc6+ #26 Not tainted<br /> [ 561.670351] ------------------------------------------------------<br /> [ 561.670353] iso-tester/3289 is trying to acquire lock:<br /> [ 561.670355] ffff88811f600078 (&amp;hdev-&gt;lock){+.+.}-{3:3},<br /> at: iso_conn_big_sync+0x73/0x260 [bluetooth]<br /> [ 561.670405]<br /> but task is already holding lock:<br /> [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},<br /> at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]<br /> [ 561.670450]<br /> which lock already depends on the new lock.<br /> <br /> [ 561.670452]<br /> the existing dependency chain (in reverse order) is:<br /> [ 561.670453]<br /> -&gt; #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:<br /> [ 561.670458] lock_acquire+0x7c/0xc0<br /> [ 561.670463] lock_sock_nested+0x3b/0xf0<br /> [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]<br /> [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth]<br /> [ 561.670547] do_accept+0x3dd/0x610<br /> [ 561.670550] __sys_accept4+0xd8/0x170<br /> [ 561.670553] __x64_sys_accept+0x74/0xc0<br /> [ 561.670556] x64_sys_call+0x17d6/0x25f0<br /> [ 561.670559] do_syscall_64+0x87/0x150<br /> [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 561.670567]<br /> -&gt; #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:<br /> [ 561.670571] lock_acquire+0x7c/0xc0<br /> [ 561.670574] lock_sock_nested+0x3b/0xf0<br /> [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth]<br /> [ 561.670617] __sys_listen_socket+0xef/0x130<br /> [ 561.670620] __x64_sys_listen+0xe1/0x190<br /> [ 561.670623] x64_sys_call+0x2517/0x25f0<br /> [ 561.670626] do_syscall_64+0x87/0x150<br /> [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 561.670632]<br /> -&gt; #0 (&amp;hdev-&gt;lock){+.+.}-{3:3}:<br /> [ 561.670636] __lock_acquire+0x32ad/0x6ab0<br /> [ 561.670639] lock_acquire.part.0+0x118/0x360<br /> [ 561.670642] lock_acquire+0x7c/0xc0<br /> [ 561.670644] __mutex_lock+0x18d/0x12f0<br /> [ 561.670647] mutex_lock_nested+0x1b/0x30<br /> [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth]<br /> [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth]<br /> [ 561.670722] sock_recvmsg+0x1d5/0x240<br /> [ 561.670725] sock_read_iter+0x27d/0x470<br /> [ 561.670727] vfs_read+0x9a0/0xd30<br /> [ 561.670731] ksys_read+0x1a8/0x250<br /> [ 561.670733] __x64_sys_read+0x72/0xc0<br /> [ 561.670736] x64_sys_call+0x1b12/0x25f0<br /> [ 561.670738] do_syscall_64+0x87/0x150<br /> [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 561.670744]<br /> other info that might help us debug this:<br /> <br /> [ 561.670745] Chain exists of:<br /> &amp;hdev-&gt;lock --&gt; sk_lock-AF_BLUETOOTH-BTPROTO_ISO --&gt; sk_lock-AF_BLUETOOTH<br /> <br /> [ 561.670751] Possible unsafe locking scenario:<br /> <br /> [ 561.670753] CPU0 CPU1<br /> [ 561.670754] ---- ----<br /> [ 561.670756] lock(sk_lock-AF_BLUETOOTH);<br /> [ 561.670758] lock(sk_lock<br /> AF_BLUETOOTH-BTPROTO_ISO);<br /> [ 561.670761] lock(sk_lock-AF_BLUETOOTH);<br /> [ 561.670764] lock(&amp;hdev-&gt;lock);<br /> [ 561.670767]<br /> *** DEADLOCK ***

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11.11 (including) 6.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.2 (including) 6.12.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools