[SRU][N][PATCH 0/1] CVE-2024-50148
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Wed Jan 22 21:52:30 UTC 2025
[Impact]
Bluetooth: bnep: fix wild-memory-access in proto_unregister
There's issue as follows:
KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W
RIP: 0010:proto_unregister+0xee/0x400
Call Trace:
<TASK>
__do_sys_delete_module+0x318/0x580
do_syscall_64+0xc1/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
will cleanup all resource. Then when remove bnep module will call
bnep_sock_cleanup() to cleanup sock's resource.
To solve above issue just return bnep_sock_init()'s return value in
bnep_exit().
[Fix]
Oracular: Fixed via upstream stable updates (95df8ca962fbb0)
Noble: Clean cherry pick from mainline
Jammy: Fixed via upstream stable updates (1e95961320e711)
Focal: Fixed via upstream stable updates (84e3d4d674f693)
Bionic: Sent to ESM ML
Xenial: Sent to ESM ML
Trusty: Not affected
[Test Case]
Compile and boot tested.
Loaded and unloaded successfully the kernel module bnep.
[Where problems could occur]
A regression here is unlikely due to the very limited scope of the
patch.
Ye Bin (1):
Bluetooth: bnep: fix wild-memory-access in proto_unregister
net/bluetooth/bnep/core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list