CVE-2024-36968
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
08/06/2024
Last modified:
17/07/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()<br />
<br />
l2cap_le_flowctl_init() can cause both div-by-zero and an integer<br />
overflow since hdev->le_mtu may not fall in the valid range.<br />
<br />
Move MTU from hci_dev to hci_conn to validate MTU and stop the connection<br />
process earlier if MTU is invalid.<br />
Also, add a missing validation in read_buffer_size() and make it return<br />
an error value if the validation fails.<br />
Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a<br />
kzalloc failure and invalid MTU value.<br />
<br />
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI<br />
CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
Workqueue: hci0 hci_rx_work<br />
RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547<br />
Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c<br />
89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 f7 f3 89 c3 ff c3 4d 8d<br />
b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42<br />
RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246<br />
RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000<br />
RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f<br />
RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa<br />
R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084<br />
R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000<br />
FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]<br />
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]<br />
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]<br />
l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809<br />
l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506<br />
hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]<br />
hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176<br />
process_one_work kernel/workqueue.c:3254 [inline]<br />
process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335<br />
worker_thread+0x926/0xe70 kernel/workqueue.c:3416<br />
kthread+0x2e3/0x380 kernel/kthread.c:388<br />
ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
<br />
Modules linked in:<br />
---[ end trace 0000000000000000 ]---
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.39 (including) | 6.6.32 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (including) | 6.9.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8
- https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44
- https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674
- https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30
- https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3