CVE-2024-56653

================================================================== BUG: KASAN: slab-use-after-free in btmtkprocesscoredump+0x2a7/0x2d0 [btmtk] Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82

CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c Hardware name: Google YaviksUfs/YaviksUfs, BIOS GoogleYaviksUfs.15217.552.0 05/07/2024 Workqueue: events btusbrxwork [btusb] Call Trace: <TASK> dumpstacklvl+0xfd/0x150 printreport+0x131/0x780 kasanreport+0x177/0x1c0 btmtkprocesscoredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] btusbrecvaclmtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] btusbrxwork+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] workerthread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 retfromfork+0x51/0x80 retfromfork_asm+0x1b/0x30 </TASK>

Allocated by task 82: stacktracesave+0xdc/0x190 kasansettrack+0x4e/0x80 _kasanslaballoc+0x4e/0x60 kmemcachealloc+0x19f/0x360 skbclone+0x132/0xf70 btusbrecvaclmtk+0x104/0x1a0 [btusb] btusbrxwork+0x9e/0xe0 [btusb] workerthread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 retfromfork+0x51/0x80 retfromfork_asm+0x1b/0x30

Freed by task 1733: stacktracesave+0xdc/0x190 kasansettrack+0x4e/0x80 kasansavefreeinfo+0x28/0xb0 __kasanslabfree+0xfd/0x170 kmemcachefree+0x183/0x3f0 hcidevcdrx+0x91a/0x2060 [bluetooth] workerthread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 retfromfork+0x51/0x80 retfromfork_asm+0x1b/0x30

The buggy address belongs to the object at ffff888033cfab40 which belongs to the cache skbuffheadcache of size 232 The buggy address is located 112 bytes inside of freed 232-byte region [ffff888033cfab40, ffff888033cfac28)

The buggy address belongs to the physical page: page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa head:00000000a174ba93 order:1 entiremapcount:0 nrpagesmapped:0 pincount:0 anon flags: 0x4000000000000840(slab|head|zone=1) pagetype: 0xffffffff() raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc

ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Check if we need to call hcidevcdcomplete before calling hcidevcdappend. That requires that we check data->cdinfo.cnt >= MTKCOREDUMPNUM instead of data->cdinfo.cnt > MTKCOREDUMPNUM, as we increment data->cdinfo.cnt only once the call to hcidevcd_append succeeds.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0b70151328781a89c89e4cf3fae21fc0e98d869e

Fixed

ecdcaea0e4057171ea4c3783e1cc1c900ad99125

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0b70151328781a89c89e4cf3fae21fc0e98d869e

Fixed

d20ff1d3cb40479789368f502eedb0a00e4161fc

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0b70151328781a89c89e4cf3fae21fc0e98d869e

Fixed

b548f5e9456c568155499d9ebac675c0d7a296e8

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.13-rc1

v6.5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

{
    "vanir_signatures": [
        {
            "target": {
                "file": "drivers/bluetooth/btmtk.c",
                "function": "btmtk_process_coredump"
            },
            "signature_version": "v1",
            "digest": {
                "length": 883.0,
                "function_hash": "129318404092335620282011670122398288291"
            },
            "id": "CVE-2024-56653-00e6b280",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b548f5e9456c568155499d9ebac675c0d7a296e8",
            "signature_type": "Function"
        },
        {
            "target": {
                "file": "drivers/bluetooth/btmtk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "318434091406538274980478790899425449034",
                    "309661916878606289375171195327237299483",
                    "115527264333147166089047356539577619807",
                    "79831777695047036664418283094426715132",
                    "224019476984799952962733906334926689363",
                    "95349911748326466342158559247086264217",
                    "305053613467974279922422611353782134110",
                    "318733821704120982228484939861110038833",
                    "313435958741607436609255560211688410085",
                    "338448916266391042329571449534294817351",
                    "28600178698272099479356897437273721773",
                    "180539902635826074899930644332070064664",
                    "40584776914545087833614134141630362972",
                    "50625970161735976019799793171283269876",
                    "318549121672618072065131921198954800635",
                    "329653033317071127434388048170924836821",
                    "131626896306501676172126016561382152715",
                    "107974468671408301127976837041725439319",
                    "306789643481080601051252993730501328429"
                ]
            },
            "id": "CVE-2024-56653-7fc9075f",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b548f5e9456c568155499d9ebac675c0d7a296e8",
            "signature_type": "Line"
        },
        {
            "target": {
                "file": "drivers/bluetooth/btmtk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "211090639320682045668233446706979406378",
                    "279656770597310521450774911510678278056",
                    "316407119192089143715698476304221921124",
                    "79831777695047036664418283094426715132",
                    "224019476984799952962733906334926689363",
                    "95349911748326466342158559247086264217",
                    "305053613467974279922422611353782134110",
                    "318733821704120982228484939861110038833",
                    "313435958741607436609255560211688410085",
                    "338448916266391042329571449534294817351",
                    "28600178698272099479356897437273721773",
                    "180539902635826074899930644332070064664",
                    "40584776914545087833614134141630362972",
                    "50625970161735976019799793171283269876",
                    "318549121672618072065131921198954800635",
                    "329653033317071127434388048170924836821",
                    "131626896306501676172126016561382152715",
                    "107974468671408301127976837041725439319",
                    "306789643481080601051252993730501328429"
                ]
            },
            "id": "CVE-2024-56653-be91a202",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ecdcaea0e4057171ea4c3783e1cc1c900ad99125",
            "signature_type": "Line"
        },
        {
            "target": {
                "file": "drivers/bluetooth/btmtk.c",
                "function": "btmtk_process_coredump"
            },
            "signature_version": "v1",
            "digest": {
                "length": 883.0,
                "function_hash": "129318404092335620282011670122398288291"
            },
            "id": "CVE-2024-56653-cc566907",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ecdcaea0e4057171ea4c3783e1cc1c900ad99125",
            "signature_type": "Function"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.67

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.6