CVE-2024-56653 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtk: avoid UAF in btmtk_process_coredump
hci_devcd_append may lead to the release of the skb, so it cannot be accessed once it is called.
================================================================== BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]
Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82
CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 Workqueue: events btusb_rx_work [btusb]
Call Trace: dump_stack_lvl+0xfd/0x150 print_report+0x131/0x780 kasan_report+0x177/0x1c0 btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]
btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30
Allocated by task 82: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 __kasan_slab_alloc+0x4e/0x60 kmem_cache_alloc+0x19f/0x360 skb_clone+0x132/0xf70 btusb_recv_acl_mtk+0x104/0x1a0 [btusb]
btusb_rx_work+0x9e/0xe0 [btusb]
worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30
Freed by task 1733: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 kasan_save_free_info+0x28/0xb0 ____kasan_slab_free+0xfd/0x170 kmem_cache_free+0x183/0x3f0 hci_devcd_rx+0x91a/0x2060 [bluetooth]
worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30
The buggy address belongs to the object at ffff888033cfab40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 112 bytes inside of freed 232-byte region [ffff888033cfab40, ffff888033cfac28)
The buggy address belongs to the physical page: page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4000000000000840(slab|head|zone=1) page_type: 0xffffffff() raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Check if we need to call hci_devcd_complete before calling hci_devcd_append. That requires that we check data->cd_info.cnt >= MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we increment data->cd_info.cnt only once the call to hci_devcd_append succeeds.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability CVE-2024-56653 resides within the Linux kernel's Bluetooth subsystem, specifically in the MediaTek Bluetooth driver component known as btmtk. This issue manifests as a use-after-free condition that occurs during the processing of Bluetooth core dumps, potentially allowing for arbitrary code execution or system instability. The flaw arises from improper handling of socket buffer (skb) objects when calling the hci_devcd_append function, which can lead to accessing memory that has already been released. According to KASAN reports, the vulnerability is triggered during the execution of btmtk_process_coredump function where a read operation attempts to access a 4-byte memory region at address ffff888033cfabb0, which has already been freed by a preceding hci_devcd_rx call. The memory layout shows that the freed object belongs to the skbuff_head_cache slab allocator, indicating that the issue stems from improper reference management in the Bluetooth communication stack.
The technical root cause of this vulnerability stems from a race condition and improper state management within the MediaTek Bluetooth driver's core dump processing logic. The btmtk driver maintains a counter data->cd_info.cnt that tracks the number of core dump entries processed, and this counter is incremented only after a successful call to hci_devcd_append. However, the condition checking logic incorrectly uses a strict greater than comparison (data->cd_info.cnt > MTK_COREDUMP_NUM) instead of a greater than or equal to comparison (data->cd_info.cnt >= MTK_COREDUMP_NUM). This subtle difference allows the driver to proceed with processing core dump entries even when the counter has reached its maximum limit, leading to the reuse of freed memory objects. The flaw aligns with CWE-416, which describes use-after-free vulnerabilities where memory is accessed after it has been freed, and can be mapped to ATT&CK technique T1059.008 for the potential for arbitrary code execution through kernel memory corruption.
The operational impact of CVE-2024-56653 is significant, as it affects systems running Linux kernels with MediaTek Bluetooth hardware, potentially compromising system stability and security. An attacker could exploit this vulnerability to cause system crashes, denial of service conditions, or potentially achieve privilege escalation if the memory corruption leads to code execution in kernel space. The vulnerability is particularly concerning in embedded systems or IoT devices that rely on MediaTek Bluetooth chips, as these devices often lack robust security mechanisms and may be deployed in environments where system reliability is critical. The issue is triggered during normal Bluetooth operation when core dump data is being processed, making it difficult to detect and prevent through conventional runtime monitoring. Systems with Bluetooth connectivity using MediaTek chipsets are at risk, particularly in enterprise environments where Bluetooth is used for device management or wireless communication protocols.
Mitigation strategies for CVE-2024-56653 should focus on applying the official kernel patch that corrects the comparison logic in the btmtk driver's core dump processing routine. The fix requires changing the conditional check from data->cd_info.cnt > MTK_COREDUMP_NUM to data->cd_info.cnt >= MTK_COREDUMP_NUM to ensure proper synchronization and memory management. Organizations should prioritize updating their Linux kernel versions to include the patched code, particularly those running systems with MediaTek Bluetooth hardware. Additionally, monitoring systems should be enhanced to detect unusual Bluetooth-related kernel memory operations and potential KASAN reports. For environments where immediate patching is not feasible, implementing runtime protections such as kernel memory protection features or restricting Bluetooth functionality may provide temporary mitigation. The vulnerability highlights the importance of proper memory management in kernel drivers and underscores the necessity of thorough testing for race conditions and memory access patterns in device drivers handling real-time data processing.