lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025121642-CVE-2025-68298-40ed@gregkh>
Date: Tue, 16 Dec 2025 16:06:52 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68298: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref

In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
  usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)

That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().

As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.

Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).

The Linux kernel CVE team has assigned CVE-2025-68298 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.12.13 with commit 930e1790b99e5839e1af69d2f7fd808f1fba2df9 and fixed in 6.12.61 with commit 2fa09fe98ca3b114d66285f65f7e108fea131815
	Issue introduced in 6.14 with commit e9087e828827e5a5c85e124ce77503f2b81c3491 and fixed in 6.17.11 with commit c3b990e0b23068da65f0004cd38ee31f43f36460
	Issue introduced in 6.14 with commit e9087e828827e5a5c85e124ce77503f2b81c3491 and fixed in 6.18 with commit c884a0b27b4586e607431d86a1aa0bb4fb39169c
	Issue introduced in 6.13.2 with commit 4194766ec8756f4f654d595ae49962acbac49490

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-68298
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/bluetooth/btusb.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815
	https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460
	https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ