CVE-2023-54038

scoconnect() expects an ERRPTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to scoconnadd(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller.

The same issue exists for isoconnectcis() calling hciconnectcis().

Thus, make hciconnectsco() and hciconnectcis() return ERR_PTR instead of NULL.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54038.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

06149746e7203d5ffe2d6faf9799ee36203aa8b8

Fixed

357ab53c83a5322437fa434e9a9e3e0bafe6b383

Fixed

b4066eb04bb67e7ff66e5aaab0db4a753f37eaad

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

f72fc94a17d45be98aecfd59c39b5b24a6a342e2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54038.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54038.json"