In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btrtl: fix out of bounds memory access
The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtekdata'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hcidev, when btrtl is used with hci_h5.
This commit adds memory allocation for hci_h5 case.
================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76
Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hcipoweron [bluetooth] Call trace: dumpbacktrace+0x9c/0x128 showstack+0x20/0x38 dumpstacklvl+0x48/0x60 printreport+0xf8/0x5d8 kasanreport+0x90/0xd0 _asanstore8+0x9c/0xc0 [btrtl] h5btrtlsetup+0xd0/0x2f8 [hciuart] h5setup+0x50/0x80 [hciuart] hciuartsetup+0xd4/0x260 [hciuart] hcidevopensync+0x1cc/0xf68 [bluetooth] hcidevdoopen+0x34/0x90 [bluetooth] hcipoweron+0xc4/0x3c8 [bluetooth] processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfrom_fork+0x10/0x20
Allocated by task 53: kasansavestack+0x3c/0x68 kasansavetrack+0x20/0x40 kasansaveallocinfo+0x68/0x78 _kasankmalloc+0xd4/0xd8 _kmalloc+0x1b4/0x3b0 hciallocdevpriv+0x28/0xa58 [bluetooth] hciuartregisterdevice+0x118/0x4f8 [hciuart] h5serdevprobe+0xf4/0x178 [hciuart] serdevdrvprobe+0x54/0xa0 reallyprobe+0x254/0x588 _driverprobedevice+0xc4/0x210 driverprobedevice+0x64/0x160 _driverattachasynchelper+0x88/0x158 asyncrunentryfn+0xd0/0x388 processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20
Last potentially related work creation: kasansavestack+0x3c/0x68 _kasanrecordauxstack+0xb0/0x150 kasanrecordauxstacknoalloc+0x14/0x20 _queuework+0x33c/0x960 queueworkon+0x98/0xc0 hcirecvframe+0xc8/0x1e8 [bluetooth] h5completerxpkt+0x2c8/0x800 [hciuart] h5rxpayload+0x98/0xb8 [hciuart] h5recv+0x158/0x3d8 [hciuart] hciuartreceivebuf+0xa0/0xe8 [hciuart] ttyportreceivebuf+0xac/0x178 flushtoldisc+0x130/0x2c8 processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfromfork+0x10/0x20
Second to last potentially related work creation: kasansavestack+0x3c/0x68 _kasanrecordauxstack+0xb0/0x150 kasanrecordauxstacknoalloc+0x14/0x20 _queuework+0x788/0x960 queueworkon+0x98/0xc0 _hcicmdsyncsk+0x23c/0x7a0 [bluetooth] _hcicmdsync+0x24/0x38 [bluetooth] btrtlinitialize+0x760/0x958 [btrtl] h5btrtlsetup+0xd0/0x2f8 [hciuart] h5setup+0x50/0x80 [hciuart] hciuartsetup+0xd4/0x260 [hciuart] hcidevopensync+0x1cc/0xf68 [bluetooth] hcidevdoopen+0x34/0x90 [bluetooth] hcipoweron+0xc4/0x3c8 [bluetooth] processonework+0x328/0x6f0 workerthread+0x410/0x778 kthread+0x168/0x178 retfrom_fork+0x10/0x20 ==================================================================