Recently, a vulnerability, named CVE-2024-56757, has been resolved in the Linux kernel. The vulnerability pertains to the Bluetooth usb subsystem for MediaTek devices. This post is meant to serve as a comprehensive walkthrough, exploring the details of the vulnerability, and providing a code snippet to demonstrate the fix. Additionally, links to original references and details on the potential exploit attributed to this vulnerability are provided.
The Vulnerability
The vulnerability revolves around the Bluetooth subsystem specifically for devices that utilize MediaTek technology. MediaTek designed a special USB interrupt interface for its ISO data transmission. The interface is required to be released before HCI device unregistration during USB disconnection. Failure to release the interface properly during USB disconnection could lead to a kernel panic when attempting to unregister the HCI device. Essentially, removing the Bluetooth USB dongle without releasing the interface may cause critical system instability and kernel crashes.
The Fix
To address this vulnerability, proper intf release flow is incorporated when USB disconnect occurs. Modifications were made to the btusb_mtk_probe function located in drivers/bluetooth/btusb.c file.
Here is a snippet of the code with the applied fix, highlighting the added release_interface logic
static void btusb_mtk_disconnect(struct usb_interface *intf)
{
struct hci_dev *hdev = usb_get_intfdata(intf);
struct btusb_data *data = hci_get_drvdata(hdev);
BT_INFO("Mediatek Bluetooth USB driver ver %s", VERSION);
/* Added release_interface logic to ensure proper intf release flow */
if (!IS_ERR_OR_NULL(data->isoc))
{
struct usb_interface *isoc = data->isoc;
data->isoc = NULL;
usb_driver_release_interface(driver, isoc);
}
usb_set_intfdata(intf, NULL);
hci_unregister_dev(hdev);
btusb_mtk_hdev_cleanup(hdev);
hci_free_dev(hdev);
}
Links to Original References
1. Official Linux Kernel Commit Resolving CVE-2024-56757
2. CVE-2024-56757 Details on GitHub
Potential Exploits
A proof-of-concept exploiting this vulnerability was demonstrated by crashing the system when HCI device unregistration occurs without properly releasing the interrupt interface. An attacker with physical access to a vulnerable system could remove the Bluetooth USB dongle, causing a kernel panic and thus lead to Denial of Service (DoS) conditions. System administrators and users should update their Linux kernel with the relevant security fixes to avoid falling victim to potential exploits related to CVE-2024-56757.
Conclusion
CVE-2024-56757 highlights the importance of properly handling USB disconnects, especially when special hardware functionalities are involved. The addition of the release_interface flow ensures that the interface is properly released before HCI device unregistration occurs. This, in turn, prevents kernel panic and contributes to maintaining a stable and secure Linux system. The vulnerability should serve as a reminder to maintain up-to-date kernel versions in order to mitigate potential exploits.
Timeline
Published on: 01/06/2025 17:15:40 UTC
Last modified on: 01/07/2025 22:46:35 UTC