CVE-2023-54038
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL).
sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller.
The same issue exists for iso_connect_cis() calling hci_connect_cis().
Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 06149746e7203d5ffe2d6faf9799ee36203aa8b8 < 357ab53c83a5322437fa434e9a9e3e0bafe6b383 | affected |
| Linux | Linux | 06149746e7203d5ffe2d6faf9799ee36203aa8b8 < b4066eb04bb67e7ff66e5aaab0db4a753f37eaad | affected |
| Linux | Linux | f72fc94a17d45be98aecfd59c39b5b24a6a342e2 | affected |
| Linux | Linux | 6.3.8 < 6.4 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.4.7 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383
- https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.