CVE-2022-48878

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Fix driver shutdown on closed serdev The driver shutdown callback (which sends EDL_SOC_RESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hci_dev_open_sync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qca_power_shutdown()). The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth: Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: tty_driver_flush_buffer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x260 kernel_restart+0x48/0xac KASAN report: BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 kasan_report+0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_buffer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 device_shutdown+0x1e8/0x350 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

29 Aug 2024, 02:39

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8 - () https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8 - Patch
References () https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3 - () https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3 - Patch
References () https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587 - () https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587 - Patch
References () https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447 - () https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447 - Patch
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: hci_qca: corrige el apagado del controlador en serdev cerrado La devolución de llamada de apagado del controlador (que envía EDL_SOC_RESET al dispositivo a través de serdev) no debe invocarse cuando el dispositivo HCI no está abierto (por ejemplo, si hci_dev_open_sync () falló), porque el serdev y su TTY tampoco están abiertos. Omita también este paso si el dispositivo está apagado (qca_power_shutdown()). La devolución de llamada de apagado provoca use-after-free durante el reinicio del sistema con Qualcomm Atheros Bluetooth: no se puede manejar la solicitud de paginación del kernel en la dirección virtual 0072662f67726fd7... CPU: 6 PID: 1 Comm: systemd-shutdow Contaminado: GW 6.1.0-rt5- 00325-g8a5f56bcfcca #8 Nombre del hardware: Qualcomm Technologies, Inc. Robotics RB5 (DT) Rastreo de llamadas: tty_driver_flush_búfer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x2 60 kernel_restart+0x48/0xac KASAN informe: ERROR: KASAN: use-after-free en tty_driver_flush_búfer+0x1c/0x50 Lectura de tamaño 8 en la dirección ffff16270c2e0018 por tarea systemd-shutdow/1 CPU: 7 PID: 1 Comunicaciones: systemd-shutdow No contaminado 6.1.0-next- 20221220-00014-gb85aaf97fb01-dirty #28 Nombre del hardware: Qualcomm Technologies, Inc. Robotics RB5 (DT) Rastreo de llamadas: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 puerto +0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_búfer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 dispositivo_shutdown+0x1e8/0x3 50 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall +0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
First Time Linux linux Kernel
Linux
CWE CWE-416

21 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 07:15

Updated : 2024-08-29 02:39


NVD link : CVE-2022-48878

Mitre link : CVE-2022-48878

CVE.ORG link : CVE-2022-48878


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free