CVE-2024-42137 in Linuxinfo

Summary

by MITRE • 07/30/2024

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot

Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev") will cause below regression issue:

BT can't be enabled after below steps: cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure if property enable-gpios is not configured within DT|ACPI for QCA6390.

The commit is to fix a use-after-free issue within qca_serdev_shutdown() by adding condition to avoid the serdev is flushed or wrote after closed but also introduces this regression issue regarding above steps since the VSC is not sent to reset controller during warm reboot.

Fixed by sending the VSC to reset controller within qca_serdev_shutdown() once BT was ever enabled, and the use-after-free issue is also fixed by this change since the serdev is still opened before it is flushed or wrote.

Verified by the reported machine Dell XPS 13 9310 laptop over below two kernel commits: commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of bluetooth-next tree. commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of linus mainline tree.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/19/2025

The vulnerability CVE-2024-42137 represents a regression in the Linux kernel's Bluetooth subsystem affecting Qualcomm QCA6390 chipset devices. This issue specifically impacts the hci_qca driver's handling of Bluetooth enable operations following warm reboot sequences. The problem emerged from a previous fix commit 272970be3dab that addressed a use-after-free condition in the qca_serdev_shutdown() function but inadvertently introduced a new regression. The technical flaw manifests when users execute a sequence involving cold boot, enabling Bluetooth, disabling Bluetooth, performing a warm reboot, and then attempting to enable Bluetooth again. This particular failure mode occurs exclusively on systems where the device tree or ACPI configuration lacks the enable-gpios property definition for the QCA6390 chipset.

The operational impact of this vulnerability is significant for laptop users, particularly those operating Dell XPS 13 9310 models and similar devices equipped with QCA6390 Bluetooth controllers. When the regression occurs, users experience complete Bluetooth functionality failure after warm reboots, requiring system cold boot to restore Bluetooth operations. This creates an unacceptable user experience degradation and potentially impacts productivity when wireless connectivity is required immediately after system restarts. The issue affects the core Bluetooth initialization sequence and specifically targets the VSC (Vendor Specific Command) communication pathway that resets the controller hardware. The vulnerability demonstrates how seemingly beneficial security fixes can introduce regressions that compromise system usability and reliability.

The root cause stems from improper handling of the serdev (serial device) shutdown sequence within the qca_serdev_shutdown() function. When Bluetooth is disabled and a warm reboot occurs, the previous fix prevents use-after-free conditions by closing the serdev before attempting flush or write operations. However, this approach fails to send the necessary VSC command to reset the QCA6390 controller hardware, which is essential for proper Bluetooth re-enablement. The fix implemented addresses this by ensuring that the VSC reset command is sent to the controller within qca_serdev_shutdown() whenever Bluetooth has been previously enabled, thereby maintaining the controller state while preserving the use-after-free protection. This solution aligns with CWE-415: Double Free and CWE-416: Use After Free categories, as it prevents both the original memory safety issue and the subsequent functional regression. The mitigation approach follows ATT&CK technique T1547.001: Registry Run Keys / Startup Folder, by ensuring proper controller state management during system transitions rather than relying on external recovery mechanisms.

The resolution demonstrates the complexity of embedded system firmware interactions and the delicate balance between security hardening and functional reliability. The fix maintains the original use-after-free protection while restoring proper controller reset functionality, ensuring that Bluetooth operations remain consistent across different system states. Verification testing confirmed the effectiveness of the solution across multiple kernel versions including commits e00fc2700a3f and b23d98d46d28, which address related Bluetooth subsystem issues. This vulnerability highlights the importance of thorough regression testing in kernel development, particularly when modifications affect hardware initialization sequences and device state management. The fix represents a targeted approach that preserves existing security protections while addressing the specific operational failure scenario, ensuring that system recovery mechanisms maintain both safety and functionality.

Responsible

Linux

Reservation

07/29/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00233

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!