| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022617-CVE-2022-49200-54e9@gregkh> Date: Wed, 26 Feb 2025 02:56:45 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49200: Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt Description =========== In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt Fix the following kernel oops in btmtksdio_interrrupt [ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30 That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up. The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe. The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out. When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer. The Linux kernel CVE team has assigned CVE-2022-49200 to this issue. Affected and fixed versions =========================== Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.4.189 with commit 874eca93966a786eace87fa6dfb206c2dd9519b1 Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.10.110 with commit 70a6cf749d9ff9f463490248322e5343199bc267 Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.15.33 with commit 770a97d3f34b801de1b04737b43e02c55118c41a Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.16.19 with commit 4d3d1f2c35a19988d3c5f0ee86038b525e830840 Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.17.2 with commit 6d7be5afbb41c918d2f12f857f8c7efa50500be2 Issue introduced in 5.2 with commit 9aebfd4a2200ab8075e44379c758bccefdc589bb and fixed in 5.18 with commit b062a0b9c1dc1ff63094337dccfe1568d5b62023 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49200 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/bluetooth/btmtksdio.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/874eca93966a786eace87fa6dfb206c2dd9519b1 https://git.kernel.org/stable/c/70a6cf749d9ff9f463490248322e5343199bc267 https://git.kernel.org/stable/c/770a97d3f34b801de1b04737b43e02c55118c41a https://git.kernel.org/stable/c/4d3d1f2c35a19988d3c5f0ee86038b525e830840 https://git.kernel.org/stable/c/6d7be5afbb41c918d2f12f857f8c7efa50500be2 https://git.kernel.org/stable/c/b062a0b9c1dc1ff63094337dccfe1568d5b62023
Powered by blists - more mailing lists