| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121644-CVE-2025-68304-9ae7@gregkh>
Date: Tue, 16 Dec 2025 16:06:58 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68304: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c63252490b ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.
Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it. It's better to do the locking so that even if these run
concurrently no UAF is possible.
Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.
syzkaller has reported a crash that appears to be this issue:
[Task hdev->workqueue] [Task 2]
hci_disconnect_all_sync
l2cap_recv_acldata(hcon)
hci_conn_get(hcon)
hci_abort_conn_sync(hcon)
hci_dev_lock
hci_dev_lock
hci_conn_del(hcon)
v-------------------------------- hci_dev_unlock
hci_conn_put(hcon)
conn = hcon->l2cap_data (UAF)
The Linux kernel CVE team has assigned CVE-2025-68304 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.6 with commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a and fixed in 6.17.11 with commit ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93
Issue introduced in 6.6 with commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a and fixed in 6.18 with commit 79a2d4678ba90bdba577dc3af88cc900d6dcd5ee
Issue introduced in 6.1.149 with commit cd55c13bbb3d093ae601aa97e588ed4c1390ebb1
Issue introduced in 6.4.16 with commit 4d3ca4a9aaf0aa798a6be372dc0fc3a29e37dd57
Issue introduced in 6.5.3 with commit 80265dd1d944c3f33e52375b5dbe654980bd2688
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68304
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/net/bluetooth/hci_core.h
net/bluetooth/hci_core.c
net/bluetooth/iso.c
net/bluetooth/l2cap_core.c
net/bluetooth/sco.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93
https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee
Powered by blists - more mailing lists