In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix not validating setsockopt user input
syzbot reported scosocksetsockopt() is copying data without checking user input length.
BUG: KASAN: slab-out-of-bounds in copyfromsockptroffset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copyfromsockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in scosock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578
[
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"14009387191670015195010568450726373936",
"97117891040763425387629061987412224911"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-1767536b",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51eda36d33e43201e7a4fd35232e069b2c850b01",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "41801225305919047235267537157135067513",
"length": 2567.0
},
"id": "CVE-2024-35967-4261905f",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@419a0ffca7010216f0fc265b08558d7394fa0ba7",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"308172058845192048359655779030558474835",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"308337571271369894459505835791402916065",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"144688570454193283542851417508803023851",
"5469527003256524674845950640364442802",
"323272161301374555839725918128037317425",
"295667419889342866311282298622260288343",
"231242726708223361550941745707403342233",
"195453222140016350976891043721785164003",
"59017797434501315299645534669861953006",
"19345047874793339915236411216387273169"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-4c67cee2",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51eda36d33e43201e7a4fd35232e069b2c850b01",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"14009387191670015195010568450726373936",
"97117891040763425387629061987412224911"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-50722bd4",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bc65d23ba20dcd7ecc094a12c181e594e5eb315",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "11377811215826404612218291477904787848",
"length": 2553.0
},
"id": "CVE-2024-35967-507829b5",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bc65d23ba20dcd7ecc094a12c181e594e5eb315",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"308172058845192048359655779030558474835",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"308337571271369894459505835791402916065",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"144688570454193283542851417508803023851",
"5469527003256524674845950640364442802",
"323272161301374555839725918128037317425",
"295667419889342866311282298622260288343",
"231242726708223361550941745707403342233",
"195453222140016350976891043721785164003",
"59017797434501315299645534669861953006",
"19345047874793339915236411216387273169"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-52328f4a",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72473db90900da970a16ee50ad23c2c38d107d8c",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"308172058845192048359655779030558474835",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"308337571271369894459505835791402916065",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"144688570454193283542851417508803023851",
"5469527003256524674845950640364442802",
"323272161301374555839725918128037317425",
"295667419889342866311282298622260288343",
"231242726708223361550941745707403342233",
"195453222140016350976891043721785164003",
"59017797434501315299645534669861953006",
"19345047874793339915236411216387273169"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-650d432c",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@419a0ffca7010216f0fc265b08558d7394fa0ba7",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"204341016759563386265979209989055119187",
"74256968987290713156465206826775264215"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-6e97900f",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c2dc87cdebef3fe3b9d7a711a984c70e376e32e",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"14009387191670015195010568450726373936",
"97117891040763425387629061987412224911"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-82e31e63",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@419a0ffca7010216f0fc265b08558d7394fa0ba7",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"60720763201875623749485349885537076887",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"143988074832265558314256166935391491489",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"121163894721063769447057848587559017717",
"177750879560739027576588811081807804100"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-9d49efe2",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c2dc87cdebef3fe3b9d7a711a984c70e376e32e",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "41801225305919047235267537157135067513",
"length": 2567.0
},
"id": "CVE-2024-35967-a89a34e3",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72473db90900da970a16ee50ad23c2c38d107d8c",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "13282528563011338207503497051181024752",
"length": 1396.0
},
"id": "CVE-2024-35967-bf0175f4",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c2dc87cdebef3fe3b9d7a711a984c70e376e32e",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"204341016759563386265979209989055119187",
"74256968987290713156465206826775264215"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-c1f18cde",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0e30c37695b614bee69187f86eaf250e36606ce",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"308172058845192048359655779030558474835",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"308337571271369894459505835791402916065",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"121163894721063769447057848587559017717",
"177750879560739027576588811081807804100",
"323272161301374555839725918128037317425",
"295667419889342866311282298622260288343",
"231242726708223361550941745707403342233",
"195453222140016350976891043721785164003",
"59017797434501315299645534669861953006",
"19345047874793339915236411216387273169"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-c9249153",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bc65d23ba20dcd7ecc094a12c181e594e5eb315",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "41801225305919047235267537157135067513",
"length": 2567.0
},
"id": "CVE-2024-35967-cbfd007d",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51eda36d33e43201e7a4fd35232e069b2c850b01",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"138545309916765530857990612492679564083",
"14009387191670015195010568450726373936",
"97117891040763425387629061987412224911"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-d5a00366",
"target": {
"file": "include/net/bluetooth/bluetooth.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72473db90900da970a16ee50ad23c2c38d107d8c",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"325337110124679007669068595293588370549",
"173288704065087635547676095205525687958",
"196800834813574946835535491902935383929",
"60720763201875623749485349885537076887",
"146918785957761180903342994980185812851",
"333821079057152553860177944205987969938",
"14133456619170772107471825208980146060",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"300862905683415155400858347209140287027",
"336956120794910581488736220815809191235",
"219158327023766610160596504276548847080",
"187712054170181548669647004859321939397",
"231238001416279391966675952729406663107",
"329821461026825466773196669777473044877",
"10981196974225282882667651168660777403",
"129164960780817153432667991803224639905",
"89630350380030248054534593172670030131",
"165620331430313334284115198308412854458",
"143988074832265558314256166935391491489",
"279417488532753613750317268240503198703",
"292492849420431356495341675061460380640",
"296544459159507103766289306347962149513",
"98169667164234217478625593399531834994",
"121163894721063769447057848587559017717",
"177750879560739027576588811081807804100"
],
"threshold": 0.9
},
"id": "CVE-2024-35967-e14a0ee0",
"target": {
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0e30c37695b614bee69187f86eaf250e36606ce",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "13282528563011338207503497051181024752",
"length": 1396.0
},
"id": "CVE-2024-35967-f87dc22d",
"target": {
"function": "sco_sock_setsockopt",
"file": "net/bluetooth/sco.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0e30c37695b614bee69187f86eaf250e36606ce",
"signature_type": "Function"
}
]