CVE-2022-48878

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48878
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48878.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48878
Related
Published
2024-08-21T07:15:04Z
Modified
2024-09-18T03:22:39.149581Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_qca: Fix driver shutdown on closed serdev

The driver shutdown callback (which sends EDLSOCRESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hcidevopensync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qcapower_shutdown()).

The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth:

Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: ttydriverflushbuffer+0x4/0x30 serdevdevicewriteflush+0x24/0x34 qcaserdevshutdown+0x80/0x130 [hciuart] deviceshutdown+0x15c/0x260 kernel_restart+0x48/0xac

KASAN report:

BUG: KASAN: use-after-free in ttydriverflush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1

CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dumpbacktrace.part.0+0xdc/0xf0 showstack+0x18/0x30 dumpstacklvl+0x68/0x84 printreport+0x188/0x488 kasanreport+0xa4/0xf0 _asanload8+0x80/0xac ttydriverflushbuffer+0x1c/0x50 ttyportwriteflush+0x34/0x44 serdevdevicewriteflush+0x48/0x60 qcaserdevshutdown+0x124/0x274 deviceshutdown+0x1e8/0x350 kernelrestart+0x48/0xb0 _dosysreboot+0x244/0x2d0 _arm64sysreboot+0x54/0x70 invokesyscall+0x60/0x190 el0svccommon.constprop.0+0x7c/0x160 doel0svc+0x44/0xf0 el0svc+0x2c/0x6c el0t64synchandler+0xbc/0x140 el0t64_sync+0x190/0x194

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}