ghsa-89vj-8q5m-mj67
Vulnerability from github
Published
2024-12-27 15:31
Modified
2025-01-08 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtk: adjust the position to init iso data anchor

MediaTek iso data anchor init should be moved to where MediaTek claims iso data interface. If there is an unexpected BT usb disconnect during setup flow, it will cause a NULL pointer crash issue when releasing iso anchor since the anchor wasn't been init yet. Adjust the position to do iso data anchor init.

[ 17.137991] pc : usb_kill_anchored_urbs+0x60/0x168 [ 17.137998] lr : usb_kill_anchored_urbs+0x44/0x168 [ 17.137999] sp : ffffffc0890cb5f0 [ 17.138000] x29: ffffffc0890cb5f0 x28: ffffff80bb6c2e80 [ 17.144081] gpio gpiochip0: registered chardev handle for 1 lines [ 17.148421] x27: 0000000000000000 [ 17.148422] x26: ffffffd301ff4298 x25: 0000000000000003 x24: 00000000000000f0 [ 17.148424] x23: 0000000000000000 x22: 00000000ffffffff x21: 0000000000000001 [ 17.148425] x20: ffffffffffffffd8 x19: ffffff80c0f25560 x18: 0000000000000000 [ 17.148427] x17: ffffffd33864e408 x16: ffffffd33808f7c8 x15: 0000000000200000 [ 17.232789] x14: e0cd73cf80ffffff x13: 50f2137c0a0338c9 x12: 0000000000000001 [ 17.239912] x11: 0000000080150011 x10: 0000000000000002 x9 : 0000000000000001 [ 17.247035] x8 : 0000000000000000 x7 : 0000000000008080 x6 : 8080000000000000 [ 17.254158] x5 : ffffffd33808ebc0 x4 : fffffffe033dcf20 x3 : 0000000080150011 [ 17.261281] x2 : ffffff8087a91400 x1 : 0000000000000000 x0 : ffffff80c0f25588 [ 17.268404] Call trace: [ 17.270841] usb_kill_anchored_urbs+0x60/0x168 [ 17.275274] btusb_mtk_release_iso_intf+0x2c/0xd8 [btusb (HASH:5afe 6)] [ 17.284226] btusb_mtk_disconnect+0x14/0x28 [btusb (HASH:5afe 6)] [ 17.292652] btusb_disconnect+0x70/0x140 [btusb (HASH:5afe 6)] [ 17.300818] usb_unbind_interface+0xc4/0x240 [ 17.305079] device_release_driver_internal+0x18c/0x258 [ 17.310296] device_release_driver+0x1c/0x30 [ 17.314557] bus_remove_device+0x140/0x160 [ 17.318643] device_del+0x1c0/0x330 [ 17.322121] usb_disable_device+0x80/0x180 [ 17.326207] usb_disconnect+0xec/0x300 [ 17.329948] hub_quiesce+0x80/0xd0 [ 17.333339] hub_disconnect+0x44/0x190 [ 17.337078] usb_unbind_interface+0xc4/0x240 [ 17.341337] device_release_driver_internal+0x18c/0x258 [ 17.346551] device_release_driver+0x1c/0x30 [ 17.350810] usb_driver_release_interface+0x70/0x88 [ 17.355677] proc_ioctl+0x13c/0x228 [ 17.359157] proc_ioctl_default+0x50/0x80 [ 17.363155] usbdev_ioctl+0x830/0xd08 [ 17.366808] __arm64_sys_ioctl+0x94/0xd0 [ 17.370723] invoke_syscall+0x6c/0xf8 [ 17.374377] el0_svc_common+0x84/0xe0 [ 17.378030] do_el0_svc+0x20/0x30 [ 17.381334] el0_svc+0x34/0x60 [ 17.384382] el0t_64_sync_handler+0x88/0xf0 [ 17.388554] el0t_64_sync+0x180/0x188 [ 17.392208] Code: f9400677 f100a2f4 54fffea0 d503201f (b8350288) [ 17.398289] ---[ end trace 0000000000000000 ]---

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-53238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtk: adjust the position to init iso data anchor\n\nMediaTek iso data anchor init should be moved to where MediaTek\nclaims iso data interface.\nIf there is an unexpected BT usb disconnect during setup flow,\nit will cause a NULL pointer crash issue when releasing iso\nanchor since the anchor wasn\u0027t been init yet. Adjust the position\nto do iso data anchor init.\n\n[   17.137991] pc : usb_kill_anchored_urbs+0x60/0x168\n[   17.137998] lr : usb_kill_anchored_urbs+0x44/0x168\n[   17.137999] sp : ffffffc0890cb5f0\n[   17.138000] x29: ffffffc0890cb5f0 x28: ffffff80bb6c2e80\n[   17.144081] gpio gpiochip0: registered chardev handle for 1 lines\n[   17.148421]  x27: 0000000000000000\n[   17.148422] x26: ffffffd301ff4298 x25: 0000000000000003 x24: 00000000000000f0\n[   17.148424] x23: 0000000000000000 x22: 00000000ffffffff x21: 0000000000000001\n[   17.148425] x20: ffffffffffffffd8 x19: ffffff80c0f25560 x18: 0000000000000000\n[   17.148427] x17: ffffffd33864e408 x16: ffffffd33808f7c8 x15: 0000000000200000\n[   17.232789] x14: e0cd73cf80ffffff x13: 50f2137c0a0338c9 x12: 0000000000000001\n[   17.239912] x11: 0000000080150011 x10: 0000000000000002 x9 : 0000000000000001\n[   17.247035] x8 : 0000000000000000 x7 : 0000000000008080 x6 : 8080000000000000\n[   17.254158] x5 : ffffffd33808ebc0 x4 : fffffffe033dcf20 x3 : 0000000080150011\n[   17.261281] x2 : ffffff8087a91400 x1 : 0000000000000000 x0 : ffffff80c0f25588\n[   17.268404] Call trace:\n[   17.270841]  usb_kill_anchored_urbs+0x60/0x168\n[   17.275274]  btusb_mtk_release_iso_intf+0x2c/0xd8 [btusb (HASH:5afe 6)]\n[   17.284226]  btusb_mtk_disconnect+0x14/0x28 [btusb (HASH:5afe 6)]\n[   17.292652]  btusb_disconnect+0x70/0x140 [btusb (HASH:5afe 6)]\n[   17.300818]  usb_unbind_interface+0xc4/0x240\n[   17.305079]  device_release_driver_internal+0x18c/0x258\n[   17.310296]  device_release_driver+0x1c/0x30\n[   17.314557]  bus_remove_device+0x140/0x160\n[   17.318643]  device_del+0x1c0/0x330\n[   17.322121]  usb_disable_device+0x80/0x180\n[   17.326207]  usb_disconnect+0xec/0x300\n[   17.329948]  hub_quiesce+0x80/0xd0\n[   17.333339]  hub_disconnect+0x44/0x190\n[   17.337078]  usb_unbind_interface+0xc4/0x240\n[   17.341337]  device_release_driver_internal+0x18c/0x258\n[   17.346551]  device_release_driver+0x1c/0x30\n[   17.350810]  usb_driver_release_interface+0x70/0x88\n[   17.355677]  proc_ioctl+0x13c/0x228\n[   17.359157]  proc_ioctl_default+0x50/0x80\n[   17.363155]  usbdev_ioctl+0x830/0xd08\n[   17.366808]  __arm64_sys_ioctl+0x94/0xd0\n[   17.370723]  invoke_syscall+0x6c/0xf8\n[   17.374377]  el0_svc_common+0x84/0xe0\n[   17.378030]  do_el0_svc+0x20/0x30\n[   17.381334]  el0_svc+0x34/0x60\n[   17.384382]  el0t_64_sync_handler+0x88/0xf0\n[   17.388554]  el0t_64_sync+0x180/0x188\n[   17.392208] Code: f9400677 f100a2f4 54fffea0 d503201f (b8350288)\n[   17.398289] ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-89vj-8q5m-mj67",
  "modified": "2025-01-08T18:30:47Z",
  "published": "2024-12-27T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53238"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1219c211ccd061cde002cc5708692efca515a7a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61c5a3def90ac729a538e5ca5ff7f461cff72776"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8bd79f0eea9c07d90ce870a714ab5c10afaa4b3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…