CVE-2024-54191

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-54191
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54191.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-54191
Related
Published
2025-01-11T13:15:26Z
Modified
2025-01-16T17:50:10.302786Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: iso: Fix circular lock in isoconnbig_sync

This fixes the circular locking dependency warning below, by reworking isosockrecvmsg, to ensure that the socket lock is always released before calling a function that locks hdev.

[ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: isoconnbigsync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sklock-AFBLUETOOTH){+.+.}-{0:0}, at: isosock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock.

[ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sklock-AFBLUETOOTH){+.+.}-{0:0}: [ 561.670458] lockacquire+0x7c/0xc0 [ 561.670463] locksocknested+0x3b/0xf0 [ 561.670467] btacceptdequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] isosockaccept+0x271/0x830 [bluetooth] [ 561.670547] doaccept+0x3dd/0x610 [ 561.670550] _sysaccept4+0xd8/0x170 [ 561.670553] _x64sysaccept+0x74/0xc0 [ 561.670556] x64syscall+0x17d6/0x25f0 [ 561.670559] dosyscall64+0x87/0x150 [ 561.670563] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670567] -> #1 (sklock-AFBLUETOOTH-BTPROTOISO){+.+.}-{0:0}: [ 561.670571] lockacquire+0x7c/0xc0 [ 561.670574] locksocknested+0x3b/0xf0 [ 561.670577] isosocklisten+0x2de/0xf30 [bluetooth] [ 561.670617] _syslistensocket+0xef/0x130 [ 561.670620] _x64syslisten+0xe1/0x190 [ 561.670623] x64syscall+0x2517/0x25f0 [ 561.670626] dosyscall64+0x87/0x150 [ 561.670629] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] _lockacquire+0x32ad/0x6ab0 [ 561.670639] lockacquire.part.0+0x118/0x360 [ 561.670642] lockacquire+0x7c/0xc0 [ 561.670644] _mutexlock+0x18d/0x12f0 [ 561.670647] mutexlocknested+0x1b/0x30 [ 561.670651] isoconnbigsync+0x73/0x260 [bluetooth] [ 561.670687] isosockrecvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sockrecvmsg+0x1d5/0x240 [ 561.670725] sockreaditer+0x27d/0x470 [ 561.670727] vfsread+0x9a0/0xd30 [ 561.670731] ksysread+0x1a8/0x250 [ 561.670733] _x64sysread+0x72/0xc0 [ 561.670736] x64syscall+0x1b12/0x25f0 [ 561.670738] dosyscall64+0x87/0x150 [ 561.670741] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670744] other info that might help us debug this:

[ 561.670745] Chain exists of: &hdev->lock --> sklock-AFBLUETOOTH-BTPROTOISO --> sklock-AF_BLUETOOTH

[ 561.670751] Possible unsafe locking scenario:

[ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sklock-AFBLUETOOTH); [ 561.670758] lock(sklock AFBLUETOOTH-BTPROTOISO); [ 561.670761] lock(sklock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] * DEADLOCK *

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.6-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1
6.10.11-1
6.10.12-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1
6.11-1~exp1
6.11.2-1
6.11.4-1
6.11.5-1~bpo12+1
6.11.5-1
6.11.6-1
6.11.7-1
6.11.9-1
6.11.10-1~bpo12+1
6.11.10-1
6.12~rc6-1~exp1
6.12.3-1
6.12.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}