fkie_cve-2024-54191
Vulnerability from fkie_nvd
Published
2025-01-11 13:15
Modified
2025-01-16 16:21
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is always released before calling a function that locks hdev. [ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock. [ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] do_syscall_64+0x87/0x150 [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] lock_acquire+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] do_syscall_64+0x87/0x150 [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sock_recvmsg+0x1d5/0x240 [ 561.670725] sock_read_iter+0x27d/0x470 [ 561.670727] vfs_read+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64_sys_read+0x72/0xc0 [ 561.670736] x64_sys_call+0x1b12/0x25f0 [ 561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] other info that might help us debug this: [ 561.670745] Chain exists of: &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH [ 561.670751] Possible unsafe locking scenario: [ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] lock(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] lock(sk_lock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK ***
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.13
linux linux_kernel 6.13


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824",
              "versionEndExcluding": "6.12",
              "versionStartIncluding": "6.11.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "56F9CCF9-9EA2-4DE9-BBC1-74C3D2046E55",
              "versionEndExcluding": "6.12.6",
              "versionStartIncluding": "6.12.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[  561.670344] ======================================================\n[  561.670346] WARNING: possible circular locking dependency detected\n[  561.670349] 6.12.0-rc6+ #26 Not tainted\n[  561.670351] ------------------------------------------------------\n[  561.670353] iso-tester/3289 is trying to acquire lock:\n[  561.670355] ffff88811f600078 (\u0026hdev-\u003elock){+.+.}-{3:3},\n               at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670405]\n               but task is already holding lock:\n[  561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n               at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[  561.670450]\n               which lock already depends on the new lock.\n\n[  561.670452]\n               the existing dependency chain (in reverse order) is:\n[  561.670453]\n               -\u003e #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[  561.670458]        lock_acquire+0x7c/0xc0\n[  561.670463]        lock_sock_nested+0x3b/0xf0\n[  561.670467]        bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[  561.670510]        iso_sock_accept+0x271/0x830 [bluetooth]\n[  561.670547]        do_accept+0x3dd/0x610\n[  561.670550]        __sys_accept4+0xd8/0x170\n[  561.670553]        __x64_sys_accept+0x74/0xc0\n[  561.670556]        x64_sys_call+0x17d6/0x25f0\n[  561.670559]        do_syscall_64+0x87/0x150\n[  561.670563]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670567]\n               -\u003e #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[  561.670571]        lock_acquire+0x7c/0xc0\n[  561.670574]        lock_sock_nested+0x3b/0xf0\n[  561.670577]        iso_sock_listen+0x2de/0xf30 [bluetooth]\n[  561.670617]        __sys_listen_socket+0xef/0x130\n[  561.670620]        __x64_sys_listen+0xe1/0x190\n[  561.670623]        x64_sys_call+0x2517/0x25f0\n[  561.670626]        do_syscall_64+0x87/0x150\n[  561.670629]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670632]\n               -\u003e #0 (\u0026hdev-\u003elock){+.+.}-{3:3}:\n[  561.670636]        __lock_acquire+0x32ad/0x6ab0\n[  561.670639]        lock_acquire.part.0+0x118/0x360\n[  561.670642]        lock_acquire+0x7c/0xc0\n[  561.670644]        __mutex_lock+0x18d/0x12f0\n[  561.670647]        mutex_lock_nested+0x1b/0x30\n[  561.670651]        iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670687]        iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[  561.670722]        sock_recvmsg+0x1d5/0x240\n[  561.670725]        sock_read_iter+0x27d/0x470\n[  561.670727]        vfs_read+0x9a0/0xd30\n[  561.670731]        ksys_read+0x1a8/0x250\n[  561.670733]        __x64_sys_read+0x72/0xc0\n[  561.670736]        x64_sys_call+0x1b12/0x25f0\n[  561.670738]        do_syscall_64+0x87/0x150\n[  561.670741]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670744]\n               other info that might help us debug this:\n\n[  561.670745] Chain exists of:\n\u0026hdev-\u003elock --\u003e sk_lock-AF_BLUETOOTH-BTPROTO_ISO --\u003e sk_lock-AF_BLUETOOTH\n\n[  561.670751]  Possible unsafe locking scenario:\n\n[  561.670753]        CPU0                    CPU1\n[  561.670754]        ----                    ----\n[  561.670756]   lock(sk_lock-AF_BLUETOOTH);\n[  561.670758]                                lock(sk_lock\n                                              AF_BLUETOOTH-BTPROTO_ISO);\n[  561.670761]                                lock(sk_lock-AF_BLUETOOTH);\n[  561.670764]   lock(\u0026hdev-\u003elock);\n[  561.670767]\n                *** DEADLOCK ***"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: iso: Corregir bloqueo circular en iso_conn_big_sync Esto corrige la advertencia de dependencia de bloqueo circular a continuaci\u00f3n, al reelaborar iso_sock_recvmsg, para garantizar que el bloqueo del socket siempre se libere antes de llamar a una funci\u00f3n que bloquea hdev. [ 561.670344] ========================================================= [ 561.670346] ADVERTENCIA: posible dependencia de bloqueo circular detectada [ 561.670349] 6.12.0-rc6+ #26 No contaminado [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 est\u00e1 intentando adquirir bloqueo: [ 561.670355] ffff88811f600078 (\u0026amp;hdev-\u0026gt;lock){+.+.}-{3:3}, en: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] pero la tarea ya tiene el bloqueo: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, en: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] cuyo bloqueo ya depende del nuevo bloqueo. [ 561.670452] la cadena de dependencia existente (en orden inverso) es: [ 561.670453] -\u0026gt; #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] hacer_syscall_64+0x87/0x150 [ 561.670563] entrada_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -\u0026gt; #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] bloqueo_adquirir+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] hacer_syscall_64+0x87/0x150 [ 561.670629] entrada_SYSCALL_64_despu\u00e9s_de_hwframe+0x76/0x7e [ 561.670632] -\u0026gt; #0 (\u0026amp;hdev-\u0026gt;lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [561.670722] sock_recvmsg+0x1d5/0x240 [561.670725] sock_read_iter+0x27d/0x470 [561.670727] vfs_read+0x9a0/0xd30 [561.670731] ksys_read+0x1a8/0x250 [561.670733] __x64_sys_read+0x72/0xc0 [561.670736] x64_sys_call+0x1b12/0x25f0 [561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: [ 561.670745] La cadena existe de: \u0026amp;hdev-\u0026gt;lock --\u0026gt; sk_lock-AF_BLUETOOTH-BTPROTO_ISO --\u0026gt; sk_lock-AF_BLUETOOTH [ 561.670751] Posible escenario de bloqueo inseguro: [ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] bloqueo(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] bloqueo(sk_lock-AF_BLUETOOTH); [ 561.670764] bloqueo(\u0026amp;hdev-\u0026gt;lock); [ 561.670767] *** BLOQUEO INTERMEDIO ***"
    }
  ],
  "id": "CVE-2024-54191",
  "lastModified": "2025-01-16T16:21:27.237",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-01-11T13:15:26.667",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.