Bug 1219612 (CVE-2024-24859)

Summary: VUL-0: CVE-2024-24859: kernel-source,kernel-source-azure,kernel-source-rt: race condition in sniff_{min,max}_interval_set() can lead to a kernel panic
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, lidong.zhong, stoyan.manolov, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393025/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24859:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-06 09:22:57 UTC 
A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859
https://www.cve.org/CVERecord?id=CVE-2024-24859
https://bugzilla.openanolis.cn/show_bug.cgi?id=8153
Comment 1 Carlos López 2024-02-06 09:26:26 UTC 
This is similar to da9065caa594 ("Bluetooth: Fix atomicity violation in {min,max}_key_size_set"), but no fix has been merged yet. The patch is in the mailing list:

https://marc.info/?l=linux-bluetooth&m=170326263725876&w=2
Comment 2 Carlos López 2024-02-06 09:49:07 UTC 
Introduced in 71c3b60ec6d2 ("Bluetooth: Move BR/EDR debugfs file creation ..."), which is present in:

 - cve/linux-4.4
 - cve/linux-4.12
 - cve/linux-5.3
 - cve/linux-5.14
 - SLE15-SP6
 - stable
 - master
Comment 4 Lidong Zhong 2024-04-08 08:20:24 UTC 
Same situation as bug 1219609. Since CONFIG_BT_DEBUGFS is not enabled, we are not affected by this CVE.