{
  "id": "CVE-2022-49470",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T07:01:23.240",
  "lastModified": "2025-02-27T19:15:44.743",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[   39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[   39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[   39.634962] Call trace:\n[   39.634974]  dump_backtrace+0x0/0x3b8\n[   39.634999]  show_stack+0x20/0x2c\n[   39.635016]  dump_stack_lvl+0x60/0x78\n[   39.635040]  print_address_description+0x70/0x2f0\n[   39.635062]  kasan_report+0x154/0x194\n[   39.635079]  __asan_report_load1_noabort+0x44/0x50\n[   39.635099]  btmtksdio_recv_event+0x1b0/0x1c4\n[   39.635129]  btmtksdio_txrx_work+0x6cc/0xac4\n[   39.635157]  process_one_work+0x560/0xc5c\n[   39.635177]  worker_thread+0x7ec/0xcc0\n[   39.635195]  kthread+0x2d0/0x3d0\n[   39.635215]  ret_from_fork+0x10/0x20\n[   39.635247] Allocated by task 0:\n[   39.635260] (stack is not available)\n[   39.635281] Freed by task 2392:\n[   39.635295]  kasan_save_stack+0x38/0x68\n[   39.635319]  kasan_set_track+0x28/0x3c\n[   39.635338]  kasan_set_free_info+0x28/0x4c\n[   39.635357]  ____kasan_slab_free+0x104/0x150\n[   39.635374]  __kasan_slab_free+0x18/0x28\n[   39.635391]  slab_free_freelist_hook+0x114/0x248\n[   39.635410]  kfree+0xf8/0x2b4\n[   39.635427]  skb_free_head+0x58/0x98\n[   39.635447]  skb_release_data+0x2f4/0x410\n[   39.635464]  skb_release_all+0x50/0x60\n[   39.635481]  kfree_skb+0xc8/0x25c\n[   39.635498]  hci_event_packet+0x894/0xca4 [bluetooth]\n[   39.635721]  hci_rx_work+0x1c8/0x68c [bluetooth]\n[   39.635925]  process_one_work+0x560/0xc5c\n[   39.635951]  worker_thread+0x7ec/0xcc0\n[   39.635970]  kthread+0x2d0/0x3d0\n[   39.635990]  ret_from_fork+0x10/0x20\n[   39.636021] The buggy address belongs to the object at ffffff80cf28a600\n                which belongs to the cache kmalloc-512 of size 512\n[   39.636039] The buggy address is located 13 bytes inside of\n                512-byte region [ffffff80cf28a600, ffffff80cf28a800)"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: btmtksdio: se corrige el use-after-free en btmtksdio_recv_event Ya no deber\u00edamos acceder a los datos del b\u00fafer skb despu\u00e9s de llamar a hci_recv_frame. [ 39.634809] ERROR: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800) "
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}