CVE-2022-49470

{"id": "CVE-2022-49470", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:23.240", "references": [{"url": "https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[ 39.634962] Call trace:\n[ 39.634974] dump_backtrace+0x0/0x3b8\n[ 39.634999] show_stack+0x20/0x2c\n[ 39.635016] dump_stack_lvl+0x60/0x78\n[ 39.635040] print_address_description+0x70/0x2f0\n[ 39.635062] kasan_report+0x154/0x194\n[ 39.635079] __asan_report_load1_noabort+0x44/0x50\n[ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4\n[ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4\n[ 39.635157] process_one_work+0x560/0xc5c\n[ 39.635177] worker_thread+0x7ec/0xcc0\n[ 39.635195] kthread+0x2d0/0x3d0\n[ 39.635215] ret_from_fork+0x10/0x20\n[ 39.635247] Allocated by task 0:\n[ 39.635260] (stack is not available)\n[ 39.635281] Freed by task 2392:\n[ 39.635295] kasan_save_stack+0x38/0x68\n[ 39.635319] kasan_set_track+0x28/0x3c\n[ 39.635338] kasan_set_free_info+0x28/0x4c\n[ 39.635357] ____kasan_slab_free+0x104/0x150\n[ 39.635374] __kasan_slab_free+0x18/0x28\n[ 39.635391] slab_free_freelist_hook+0x114/0x248\n[ 39.635410] kfree+0xf8/0x2b4\n[ 39.635427] skb_free_head+0x58/0x98\n[ 39.635447] skb_release_data+0x2f4/0x410\n[ 39.635464] skb_release_all+0x50/0x60\n[ 39.635481] kfree_skb+0xc8/0x25c\n[ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]\n[ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]\n[ 39.635925] process_one_work+0x560/0xc5c\n[ 39.635951] worker_thread+0x7ec/0xcc0\n[ 39.635970] kthread+0x2d0/0x3d0\n[ 39.635990] ret_from_fork+0x10/0x20\n[ 39.636021] The buggy address belongs to the object at ffffff80cf28a600\n which belongs to the cache kmalloc-512 of size 512\n[ 39.636039] The buggy address is located 13 bytes inside of\n 512-byte region [ffffff80cf28a600, ffffff80cf28a800)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: btmtksdio: se corrige el use-after-free en btmtksdio_recv_event Ya no deber\u00edamos acceder a los datos del b\u00fafer skb despu\u00e9s de llamar a hci_recv_frame. [ 39.634809] ERROR: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800) "}], "lastModified": "2025-03-24T19:58:47.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A62F037-652E-4FE9-83E5-34D00905DD46", "versionEndExcluding": "5.15.54", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}