CVE-2025-40308
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bcsp: receive data only if registered
Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace:
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
<TASK>
hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 48effdb7a798232db945503cf3f51e0be8070cea < 39a7d40314b6288cfa2d13269275e9247a7a055a | affected |
| Linux | Linux | 45fa7bd82c6178f4fec0ab94891144a043ec5fe8 < 164586725b47f9d61912e6bf17dbaffeff11710b | affected |
| Linux | Linux | d71a57a34ab6bbc95dc461158403c02e8ff3f912 < b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 | affected |
| Linux | Linux | 9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf < 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa | affected |
| Linux | Linux | 806464634e7fc6b523160defeeddb1ade2a72f81 < 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 | affected |
| Linux | Linux | 6b7a32fa9bacdebd98c18b2a56994116995ee643 < b420a4c7f915fc1c94ad1f6ca740acc046d94334 | affected |
| Linux | Linux | 366ceff495f902182d42b6f41525c2474caf3f9a < 55c1519fca830f59a10bbf9aa8209c87b06cf7bc | affected |
| Linux | Linux | 366ceff495f902182d42b6f41525c2474caf3f9a < ca94b2b036c22556c3a66f1b80f490882deef7a6 | affected |
| Linux | Linux | 15543b7bbe7b5f744fdbb44f75b14f81a0117813 | affected |
| Linux | Linux | a4b89a45b12b69bc82c8137346b150a118e02c26 | affected |
| Linux | Linux | 5.4.293 < 5.4.302 | affected |
| Linux | Linux | 5.10.237 < 5.10.247 | affected |
| Linux | Linux | 5.15.181 < 5.15.197 | affected |
| Linux | Linux | 6.1.135 < 6.1.159 | affected |
| Linux | Linux | 6.6.88 < 6.6.117 | affected |
| Linux | Linux | 6.12.24 < 6.12.58 | affected |
| Linux | Linux | 6.13.12 < 6.14 | affected |
| Linux | Linux | 6.14.3 < 6.15 | affected |
| Linux | Linux | 6.15 | affected |
| Linux | Linux | 0 < 6.15 | unaffected |
| Linux | Linux | 5.4.302 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.247 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.197 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.159 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.117 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.58 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.8 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a
- https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b
- https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
- https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
- https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671
- https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334
- https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc
- https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.