CVE-2022-49200

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt

Fix the following kernel oops in btmtksdio_interrrupt

[ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30

That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up.

The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe.

The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out.

When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < 874eca93966a786eace87fa6dfb206c2dd9519b1affected
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < 70a6cf749d9ff9f463490248322e5343199bc267affected
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < 770a97d3f34b801de1b04737b43e02c55118c41aaffected
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < 4d3d1f2c35a19988d3c5f0ee86038b525e830840affected
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < 6d7be5afbb41c918d2f12f857f8c7efa50500be2affected
LinuxLinux9aebfd4a2200ab8075e44379c758bccefdc589bb < b062a0b9c1dc1ff63094337dccfe1568d5b62023affected
LinuxLinux5.2affected
LinuxLinux0 < 5.2unaffected
LinuxLinux5.4.189 <= 5.4.*unaffected
LinuxLinux5.10.110 <= 5.10.*unaffected
LinuxLinux5.15.33 <= 5.15.*unaffected
LinuxLinux5.16.19 <= 5.16.*unaffected
LinuxLinux5.17.2 <= 5.17.*unaffected
LinuxLinux5.18 <= *unaffected

Weaknesses

References