{"uuid": "eeb8d03b-e68d-457b-b909-3811dec73fbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-56653", "type": "seen", "source": "https://t.me/cvedetector/13779", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-56653 - Bluetooth btusb UAF\", \n \"Content\": \"CVE ID : CVE-2024-56653 \nPublished : Dec. 27, 2024, 3:15 p.m. | 32\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nBluetooth: btmtk: avoid UAF in btmtk_process_coredump \n \nhci_devcd_append may lead to the release of the skb, so it cannot be \naccessed once it is called. \n \n================================================================== \nBUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] \nRead of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 \n \nCPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c \nHardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 \nWorkqueue: events btusb_rx_work [btusb] \nCall Trace: \n \n dump_stack_lvl+0xfd/0x150 \n print_report+0x131/0x780 \n kasan_report+0x177/0x1c0 \n btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] \n btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] \n btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] \n worker_thread+0xe44/0x2cc0 \n kthread+0x2ff/0x3a0 \n ret_from_fork+0x51/0x80 \n ret_from_fork_asm+0x1b/0x30 \n \n \nAllocated by task 82: \n stack_trace_save+0xdc/0x190 \n kasan_set_track+0x4e/0x80 \n __kasan_slab_alloc+0x4e/0x60 \n kmem_cache_alloc+0x19f/0x360 \n skb_clone+0x132/0xf70 \n btusb_recv_acl_mtk+0x104/0x1a0 [btusb] \n btusb_rx_work+0x9e/0xe0 [btusb] \n worker_thread+0xe44/0x2cc0 \n kthread+0x2ff/0x3a0 \n ret_from_fork+0x51/0x80 \n ret_from_fork_asm+0x1b/0x30 \n \nFreed by task 1733: \n stack_trace_save+0xdc/0x190 \n kasan_set_track+0x4e/0x80 \n kasan_save_free_info+0x28/0xb0 \n ____kasan_slab_free+0xfd/0x170 \n kmem_cache_free+0x183/0x3f0 \n hci_devcd_rx+0x91a/0x2060 [bluetooth] \n worker_thread+0xe44/0x2cc0 \n kthread+0x2ff/0x3a0 \n ret_from_fork+0x51/0x80 \n ret_from_fork_asm+0x1b/0x30 \n \nThe buggy address belongs to the object at ffff888033cfab40 \n which belongs to the cache skbuff_head_cache of size 232 \nThe buggy address is located 112 bytes inside of \n freed 232-byte region [ffff888033cfab40, ffff888033cfac28) \n \nThe buggy address belongs to the physical page: \npage:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa \nhead:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 \nanon flags: 0x4000000000000840(slab|head|zone=1) \npage_type: 0xffffffff() \nraw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 \nraw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 \npage dumped because: kasan: bad access detected \n \nMemory state around the buggy address: \n ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc \n ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb \n>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb \n ^ \n ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc \n ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb \n================================================================== \n \nCheck if we need to call hci_devcd_complete before calling \nhci_devcd_append. That requires that we check data->cd_info.cnt >= \nMTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we \nincrement data->cd_info.cnt only once the call to hci_devcd_append \nsucceeds. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"27 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-27T16:51:13.000000Z"}