CVE-2023-54038

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link

hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL).

sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller.

The same issue exists for iso_connect_cis() calling hci_connect_cis().

Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux06149746e7203d5ffe2d6faf9799ee36203aa8b8 < 357ab53c83a5322437fa434e9a9e3e0bafe6b383affected
LinuxLinux06149746e7203d5ffe2d6faf9799ee36203aa8b8 < b4066eb04bb67e7ff66e5aaab0db4a753f37eaadaffected
LinuxLinuxf72fc94a17d45be98aecfd59c39b5b24a6a342e2affected
LinuxLinux6.3.8 < 6.4affected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.4.7 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References