CVE-2023-53057

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53057
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53057.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53057
Downstream
Related
Published
2025-05-02T15:55:12.118Z
Modified
2026-02-20T07:46:02.965867Z
Summary
Bluetooth: HCI: Fix global-out-of-bounds
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: HCI: Fix global-out-of-bounds

To loop a variable-length array, hciinitstagesync(stage) considers that stage[i] is valid as long as stage[i-1].func is valid. Thus, the last element of stage[].func should be intentionally invalid as hciinit0[], leinit2[], and others did. However, ampinit1[] and ampinit2[] have no invalid element, letting hciinitstagesync() keep accessing ampinit1[] over its valid range. This patch fixes this by adding {} in the last of ampinit1[] and amp_init2[].

================================================================== BUG: KASAN: global-out-of-bounds in hcidevopensync ( /v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032 CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04 Workqueue: hci1 hcipoweron Call Trace: <TASK> dumpstacklvl (/v6.2-bzimage/lib/dumpstack.c:107 (discriminator 1)) printreport (/v6.2-bzimage/mm/kasan/report.c:307 /v6.2-bzimage/mm/kasan/report.c:417) ? hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) kasanreport (/v6.2-bzimage/mm/kasan/report.c:184 /v6.2-bzimage/mm/kasan/report.c:519) ? hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) ? _pfxhcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:4635) ? mutexlock (/v6.2-bzimage/./arch/x86/include/asm/atomic6464.h:190 /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443 /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781 /v6.2-bzimage/kernel/locking/mutex.c:171 /v6.2-bzimage/kernel/locking/mutex.c:285) ? _pfxmutexlock (/v6.2-bzimage/kernel/locking/mutex.c:282) hcipoweron (/v6.2-bzimage/net/bluetooth/hcicore.c:485 /v6.2-bzimage/net/bluetooth/hcicore.c:984) ? _pfxhcipoweron (/v6.2-bzimage/net/bluetooth/hcicore.c:969) ? readwordatatime (/v6.2-bzimage/./include/asm-generic/rwonce.h:85) ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62 /v6.2-bzimage/lib/string.c:161) processonework (/v6.2-bzimage/kernel/workqueue.c:2294) workerthread (/v6.2-bzimage/./include/linux/list.h:292 /v6.2-bzimage/kernel/workqueue.c:2437) ? _pfxworkerthread (/v6.2-bzimage/kernel/workqueue.c:2379) kthread (/v6.2-bzimage/kernel/kthread.c:376) ? _pfxkthread (/v6.2-bzimage/kernel/kthread.c:331) retfromfork (/v6.2-bzimage/arch/x86/entry/entry64.S:314) </TASK> The buggy address belongs to the variable: amp_init1+0x30/0x60 The buggy address belongs to the physical page: page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00

ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9

---truncated---

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53057.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d0b137062b2de75b264b84143d21c98abc5f5ad2
Fixed
b3168abd24245aa0775c5a387dcf94d36ca7e738
Fixed
8497222b22b591c6b2d106e0e3c1672ffe4e10e0
Fixed
bce56405201111807cc8e4f47c6de3e10b17c1ac

Affected versions

v5.*
v5.15
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.3-rc1
v6.3-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53057.json"
vanir_signatures 
[
    {
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "line_hashes": [
                "299791493699234946942827019902637750586",
                "21589793411334922425163968923077754108",
                "130129000240698769639213962612181856264",
                "225154722202670899094218364811550402755",
                "283218838726436175050872943285723056687",
                "243197130395411136313944034677969249158",
                "276344559337977178668928029241895115327",
                "296676220965372058861343010082302707760"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2023-53057-36839140",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bce56405201111807cc8e4f47c6de3e10b17c1ac",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "line_hashes": [
                "299791493699234946942827019902637750586",
                "21589793411334922425163968923077754108",
                "130129000240698769639213962612181856264",
                "225154722202670899094218364811550402755",
                "283218838726436175050872943285723056687",
                "243197130395411136313944034677969249158",
                "276344559337977178668928029241895115327",
                "296676220965372058861343010082302707760"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2023-53057-577ce401",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3168abd24245aa0775c5a387dcf94d36ca7e738",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "line_hashes": [
                "299791493699234946942827019902637750586",
                "21589793411334922425163968923077754108",
                "130129000240698769639213962612181856264",
                "225154722202670899094218364811550402755",
                "283218838726436175050872943285723056687",
                "243197130395411136313944034677969249158",
                "276344559337977178668928029241895115327",
                "296676220965372058861343010082302707760"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2023-53057-f4c08642",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8497222b22b591c6b2d106e0e3c1672ffe4e10e0",
        "deprecated": false,
        "signature_version": "v1"
    }
]

Git / github.com/gregkh/linux

Affected ranges

Type
GIT
Repo
https://github.com/gregkh/linux
Events
Introduced
c9c3395d5e3dcc6daee66c6908354d47bf98cb0c
Fixed
e128ce12e29c5a6d9a88c7b8a1c8e07402c38fed
Introduced
f443e374ae131c168a065ea1748feac6b2e76613
Fixed
3b29299e5f604550faf3eff811d6cd60b4c6cae6

Affected versions

v5.*
v5.17
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53057.json"