CVE-2024-26890

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btrtl: fix out of bounds memory access

The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtekdata'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hcidev, when btrtl is used with hci_h5.

This commit adds memory allocation for hci_h5 case.

================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76

Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hcipoweron [bluetooth] Call trace: dumpbacktrace+0x9c/0x128 showstack+0x20/0x38 dumpstacklvl+0x48/0x60 printreport+0xf8/0x5d8 kasanreport+0x90/0xd0 __asanstore8+0x9c/0xc0 [btrtl] h5btrtlsetup+0xd0/0x2f8 [hciuart] h5setup+0x50/0x80 [hciuart] hciuartsetup+0xd4/0x260 [hciuart] hcidevopensync+0x1cc/0xf68 [bluetooth] hcidevdoopen+0x34/0x90 [bluetooth] hcipoweron+0xc4/0x3c8 [bluetooth] processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20

Allocated by task 53: kasansavestack+0x3c/0x68 kasansavetrack+0x20/0x40 kasansavealloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hciallocdevpriv+0x28/0xa58 [bluetooth] hciuartregisterdevice+0x118/0x4f8 [hciuart] h5serdevprobe+0xf4/0x178 [hciuart] serdevdrvprobe+0x54/0xa0 really_probe+0x254/0x588 __driverprobedevice+0xc4/0x210 driverprobedevice+0x64/0x160 _driverattachasynchelper+0x88/0x158 asyncrunentryfn+0xd0/0x388 processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20

Last potentially related work creation: kasansavestack+0x3c/0x68 __kasanrecordaux_stack+0xb0/0x150 kasanrecordauxstacknoalloc+0x14/0x20 _queuework+0x33c/0x960 queueworkon+0x98/0xc0 hcirecvframe+0xc8/0x1e8 [bluetooth] h5completerxpkt+0x2c8/0x800 [hciuart] h5rxpayload+0x98/0xb8 [hciuart] h5recv+0x158/0x3d8 [hciuart] hciuartreceivebuf+0xa0/0xe8 [hciuart] ttyportreceivebuf+0xac/0x178 flushtoldisc+0x130/0x2c8 processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20

Second to last potentially related work creation: kasansavestack+0x3c/0x68 __kasanrecordaux_stack+0xb0/0x150 kasanrecordauxstacknoalloc+0x14/0x20 __queuework+0x788/0x960 queuework_on+0x98/0xc0 __hcicmdsync_sk+0x23c/0x7a0 [bluetooth] __hcicmdsync+0x24/0x38 [bluetooth] btrtlinitialize+0x760/0x958 [btrtl] h5btrtlsetup+0xd0/0x2f8 [hciuart] h5setup+0x50/0x80 [hciuart] hciuartsetup+0xd4/0x260 [hciuart] hcidevopensync+0x1cc/0xf68 [bluetooth] hcidevdoopen+0x34/0x90 [bluetooth] hcipoweron+0xc4/0x3c8 [bluetooth] processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20 ==================================================================