CVE-2024-56653

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btmtk: avoid UAF in btmtk_process_coredump<br /> <br /> hci_devcd_append may lead to the release of the skb, so it cannot be<br /> accessed once it is called.<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]<br /> Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82<br /> <br /> CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c<br /> Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024<br /> Workqueue: events btusb_rx_work [btusb]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xfd/0x150<br /> print_report+0x131/0x780<br /> kasan_report+0x177/0x1c0<br /> btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]<br /> btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]<br /> btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]<br /> worker_thread+0xe44/0x2cc0<br /> kthread+0x2ff/0x3a0<br /> ret_from_fork+0x51/0x80<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> <br /> Allocated by task 82:<br /> stack_trace_save+0xdc/0x190<br /> kasan_set_track+0x4e/0x80<br /> __kasan_slab_alloc+0x4e/0x60<br /> kmem_cache_alloc+0x19f/0x360<br /> skb_clone+0x132/0xf70<br /> btusb_recv_acl_mtk+0x104/0x1a0 [btusb]<br /> btusb_rx_work+0x9e/0xe0 [btusb]<br /> worker_thread+0xe44/0x2cc0<br /> kthread+0x2ff/0x3a0<br /> ret_from_fork+0x51/0x80<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> Freed by task 1733:<br /> stack_trace_save+0xdc/0x190<br /> kasan_set_track+0x4e/0x80<br /> kasan_save_free_info+0x28/0xb0<br /> ____kasan_slab_free+0xfd/0x170<br /> kmem_cache_free+0x183/0x3f0<br /> hci_devcd_rx+0x91a/0x2060 [bluetooth]<br /> worker_thread+0xe44/0x2cc0<br /> kthread+0x2ff/0x3a0<br /> ret_from_fork+0x51/0x80<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> The buggy address belongs to the object at ffff888033cfab40<br /> which belongs to the cache skbuff_head_cache of size 232<br /> The buggy address is located 112 bytes inside of<br /> freed 232-byte region [ffff888033cfab40, ffff888033cfac28)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa<br /> head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> anon flags: 0x4000000000000840(slab|head|zone=1)<br /> page_type: 0xffffffff()<br /> raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001<br /> raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc<br /> ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb<br /> &gt;ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> <br /> Check if we need to call hci_devcd_complete before calling<br /> hci_devcd_append. That requires that we check data-&gt;cd_info.cnt &gt;=<br /> MTK_COREDUMP_NUM instead of data-&gt;cd_info.cnt &gt; MTK_COREDUMP_NUM, as we<br /> increment data-&gt;cd_info.cnt only once the call to hci_devcd_append<br /> succeeds.