ACK: [SRU][M][PATCH 0/2] CVE-2024-26890

Tim Gardner tim.gardner at canonical.com
Mon May 13 14:51:10 UTC 2024 

On 5/1/24 01:18, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   Bluetooth: btrtl: fix out of bounds memory access
> 
>   The problem is detected by KASAN.
>   btrtl driver uses private hci data to store 'struct btrealtek_data'.
>   If btrtl driver is used with btusb, then memory for private hci data
>   is allocated in btusb. But no private data is allocated after hci_dev,
>   when btrtl is used with hci_h5.
> 
>   This commit adds memory allocation for hci_h5 case.
> 
>    ==================================================================
>    BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl]
>    Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76
> 
>    Hardware name: Pine64 PinePhone (1.2) (DT)
>    Workqueue: hci0 hci_power_on [bluetooth]
>    Call trace:
>     dump_backtrace+0x9c/0x128
>     show_stack+0x20/0x38
>     dump_stack_lvl+0x48/0x60
>     print_report+0xf8/0x5d8
>     kasan_report+0x90/0xd0
>     __asan_store8+0x9c/0xc0
>           [btrtl]
>     h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
>     h5_setup+0x50/0x80 [hci_uart]
>     hci_uart_setup+0xd4/0x260 [hci_uart]
>     hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
>     hci_dev_do_open+0x34/0x90 [bluetooth]
>     hci_power_on+0xc4/0x3c8 [bluetooth]
>     process_one_work+0x328/0x6f0
>     worker_thread+0x410/0x778
>     kthread+0x168/0x178
>     ret_from_fork+0x10/0x20
> 
>   Allocated by task 53:
>     kasan_save_stack+0x3c/0x68
>     kasan_save_track+0x20/0x40
>     kasan_save_alloc_info+0x68/0x78
>     __kasan_kmalloc+0xd4/0xd8
>     __kmalloc+0x1b4/0x3b0
>     hci_alloc_dev_priv+0x28/0xa58 [bluetooth]
>     hci_uart_register_device+0x118/0x4f8 [hci_uart]
>     h5_serdev_probe+0xf4/0x178 [hci_uart]
>     serdev_drv_probe+0x54/0xa0
>     really_probe+0x254/0x588
>     __driver_probe_device+0xc4/0x210
>     driver_probe_device+0x64/0x160
>     __driver_attach_async_helper+0x88/0x158
>     async_run_entry_fn+0xd0/0x388
>     process_one_work+0x328/0x6f0
>     worker_thread+0x410/0x778
>     kthread+0x168/0x178
>     ret_from_fork+0x10/0x20
> 
>   Last potentially related work creation:
>     kasan_save_stack+0x3c/0x68
>     __kasan_record_aux_stack+0xb0/0x150
>     kasan_record_aux_stack_noalloc+0x14/0x20
>     __queue_work+0x33c/0x960
>     queue_work_on+0x98/0xc0
>     hci_recv_frame+0xc8/0x1e8 [bluetooth]
>     h5_complete_rx_pkt+0x2c8/0x800 [hci_uart]
>     h5_rx_payload+0x98/0xb8 [hci_uart]
>     h5_recv+0x158/0x3d8 [hci_uart]
>     hci_uart_receive_buf+0xa0/0xe8 [hci_uart]
>     ttyport_receive_buf+0xac/0x178
>     flush_to_ldisc+0x130/0x2c8
>     process_one_work+0x328/0x6f0
>     worker_thread+0x410/0x778
>     kthread+0x168/0x178
>     ret_from_fork+0x10/0x20
> 
>   Second to last potentially related work creation:
>     kasan_save_stack+0x3c/0x68
>     __kasan_record_aux_stack+0xb0/0x150
>     kasan_record_aux_stack_noalloc+0x14/0x20
>     __queue_work+0x788/0x960
>     queue_work_on+0x98/0xc0
>     __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth]
>     __hci_cmd_sync+0x24/0x38 [bluetooth]
>     btrtl_initialize+0x760/0x958 [btrtl]
>     h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
>     h5_setup+0x50/0x80 [hci_uart]
>     hci_uart_setup+0xd4/0x260 [hci_uart]
>     hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
>     hci_dev_do_open+0x34/0x90 [bluetooth]
>     hci_power_on+0xc4/0x3c8 [bluetooth]
>     process_one_work+0x328/0x6f0
>     worker_thread+0x410/0x778
>     kthread+0x168/0x178
>     ret_from_fork+0x10/0x20
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from prereq commit and linux-6.6.y
> Jammy:	not-affected
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the bluetooth driver for Realtek
> devices, an issue with this fix would be visable to the user via
> data corruption, unpredicted system behavior, or a system crash.
> 
> Andrey Skvortsov (2):
>    Bluetooth: hci_h5: Add ability to allocate memory for private data
>    Bluetooth: btrtl: fix out of bounds memory access
> 
>   drivers/bluetooth/hci_h5.c     |  5 ++++-
>   drivers/bluetooth/hci_serdev.c |  9 +++++----
>   drivers/bluetooth/hci_uart.h   | 12 +++++++++++-
>   3 files changed, 20 insertions(+), 6 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list