5.5

CVE-2024-26801

Bluetooth: Avoid potential use-after-free in hci_error_reset

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Avoid potential use-after-free in hci_error_reset

While handling the HCI_EV_HARDWARE_ERROR event, if the underlying
BT controller is not responding, the GPIO reset mechanism would
free the hci_dev and lead to a use-after-free in hci_error_reset.

Here's the call trace observed on a ChromeOS device with Intel AX201:
   queue_work_on+0x3e/0x6c
   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]
   ? init_wait_entry+0x31/0x31
   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]
   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]
   process_one_work+0x1d8/0x33f
   worker_thread+0x21b/0x373
   kthread+0x13a/0x152
   ? pr_cont_work+0x54/0x54
   ? kthread_blkcg+0x31/0x31
    ret_from_fork+0x1f/0x30

This patch holds the reference count on the hci_dev while processing
a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.0 < 4.19.309
LinuxLinux Kernel Version >= 4.20 < 5.4.271
LinuxLinux Kernel Version >= 5.5 < 5.10.212
LinuxLinux Kernel Version >= 5.11 < 5.15.151
LinuxLinux Kernel Version >= 5.16 < 6.1.81
LinuxLinux Kernel Version >= 6.2 < 6.6.21
LinuxLinux Kernel Version >= 6.7 < 6.7.9
LinuxLinux Kernel Version6.8 Updaterc1
LinuxLinux Kernel Version6.8 Updaterc2
LinuxLinux Kernel Version6.8 Updaterc3
LinuxLinux Kernel Version6.8 Updaterc4
LinuxLinux Kernel Version6.8 Updaterc5
LinuxLinux Kernel Version6.8 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.196
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Patch
https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592
Patch
https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b
Patch
https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1
Patch
https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2
Patch
https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090
Patch
https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14
Patch
https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1
Patch
https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03
Patch