{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56653","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T15:00:39.841Z","datePublished":"2024-12-27T15:06:17.267Z","dateUpdated":"2025-05-04T10:01:07.983Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:01:07.983Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtk: avoid UAF in btmtk_process_coredump\n\nhci_devcd_append may lead to the release of the skb, so it cannot be\naccessed once it is called.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]\nRead of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82\n\nCPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G     U             6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c\nHardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024\nWorkqueue: events btusb_rx_work [btusb]\nCall Trace:\n <TASK>\n dump_stack_lvl+0xfd/0x150\n print_report+0x131/0x780\n kasan_report+0x177/0x1c0\n btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]\n btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\n btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n </TASK>\n\nAllocated by task 82:\n stack_trace_save+0xdc/0x190\n kasan_set_track+0x4e/0x80\n __kasan_slab_alloc+0x4e/0x60\n kmem_cache_alloc+0x19f/0x360\n skb_clone+0x132/0xf70\n btusb_recv_acl_mtk+0x104/0x1a0 [btusb]\n btusb_rx_work+0x9e/0xe0 [btusb]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n\nFreed by task 1733:\n stack_trace_save+0xdc/0x190\n kasan_set_track+0x4e/0x80\n kasan_save_free_info+0x28/0xb0\n ____kasan_slab_free+0xfd/0x170\n kmem_cache_free+0x183/0x3f0\n hci_devcd_rx+0x91a/0x2060 [bluetooth]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n\nThe buggy address belongs to the object at ffff888033cfab40\n which belongs to the cache skbuff_head_cache of size 232\nThe buggy address is located 112 bytes inside of\n freed 232-byte region [ffff888033cfab40, ffff888033cfac28)\n\nThe buggy address belongs to the physical page:\npage:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa\nhead:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0x4000000000000840(slab|head|zone=1)\npage_type: 0xffffffff()\nraw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001\nraw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                     ^\n ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc\n ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nCheck if we need to call hci_devcd_complete before calling\nhci_devcd_append. That requires that we check data->cd_info.cnt >=\nMTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we\nincrement data->cd_info.cnt only once the call to hci_devcd_append\nsucceeds."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btmtk.c"],"versions":[{"version":"0b70151328781a89c89e4cf3fae21fc0e98d869e","lessThan":"ecdcaea0e4057171ea4c3783e1cc1c900ad99125","status":"affected","versionType":"git"},{"version":"0b70151328781a89c89e4cf3fae21fc0e98d869e","lessThan":"d20ff1d3cb40479789368f502eedb0a00e4161fc","status":"affected","versionType":"git"},{"version":"0b70151328781a89c89e4cf3fae21fc0e98d869e","lessThan":"b548f5e9456c568155499d9ebac675c0d7a296e8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btmtk.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.6.67","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.6","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ecdcaea0e4057171ea4c3783e1cc1c900ad99125"},{"url":"https://git.kernel.org/stable/c/d20ff1d3cb40479789368f502eedb0a00e4161fc"},{"url":"https://git.kernel.org/stable/c/b548f5e9456c568155499d9ebac675c0d7a296e8"}],"title":"Bluetooth: btmtk: avoid UAF in btmtk_process_coredump","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56653","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-10T17:12:36.149628Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-10T17:21:07.909Z"}}]}}