In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_qca: Fix driver shutdown on closed serdev
The driver shutdown callback (which sends EDL_SOC_RESET to the device
over serdev) should not be invoked when HCI device is not open (e.g. if
hci_dev_open_sync() failed), because the serdev and its TTY are not open
either. Also skip this step if device is powered off
(qca_power_shutdown()).
The shutdown callback causes use-after-free during system reboot with
Qualcomm Atheros Bluetooth:
Unable to handle kernel paging request at virtual address
0072662f67726fd7
...
CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W
6.1.0-rt5-00325-g8a5f56bcfcca #8
Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
Call trace:
tty_driver_flush_buffer+0x4/0x30
serdev_device_write_flush+0x24/0x34
qca_serdev_shutdown+0x80/0x130 [hci_uart]
device_shutdown+0x15c/0x260
kernel_restart+0x48/0xac
KASAN report:
BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1
CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted
6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
Call trace:
dump_backtrace.part.0+0xdc/0xf0
show_stack+0x18/0x30
dump_stack_lvl+0x68/0x84
print_report+0x188/0x488
kasan_report+0xa4/0xf0
__asan_load8+0x80/0xac
tty_driver_flush_buffer+0x1c/0x50
ttyport_write_flush+0x34/0x44
serdev_device_write_flush+0x48/0x60
qca_serdev_shutdown+0x124/0x274
device_shutdown+0x1e8/0x350
kernel_restart+0x48/0xb0
__do_sys_reboot+0x244/0x2d0
__arm64_sys_reboot+0x54/0x70
invoke_syscall+0x60/0x190
el0_svc_common.constprop.0+0x7c/0x160
do_el0_svc+0x44/0xf0
el0_svc+0x2c/0x6c
el0t_64_sync_handler+0xbc/0x140
el0t_64_sync+0x190/0x194
References
Configurations
Configuration 1 (hide)
|
History
29 Aug 2024, 02:39
Type | Values Removed | Values Added |
---|---|---|
First Time |
Linux
Linux linux Kernel |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
References | () https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8 - Patch | |
References | () https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3 - Patch | |
References | () https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587 - Patch | |
References | () https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447 - Patch | |
CWE | CWE-416 | |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
21 Aug 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-21 07:15
Updated : 2024-08-29 02:39
NVD link : CVE-2022-48878
Mitre link : CVE-2022-48878
CVE.ORG link : CVE-2022-48878
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free