CVE-2024-50255

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50255
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50255.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50255
Downstream
Related
Published
2024-11-09T11:15:11Z
Modified
2025-10-01T21:16:13Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci: fix null-ptr-deref in hcireadsupported_codecs

Fix _hcicmdsyncsk() to return not NULL for unknown opcodes.

_hcicmdsyncsk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hcicc table because hcicmdcompleteevt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmdsync for HCIOPREADLOCALCODECS as there is no hcicc for HCIOPREADLOCALCODECS, which always assumes status = skb->data[0].

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hcipoweron RIP: 0010:hcireadsupportedcodecs+0xb9/0x870 net/bluetooth/hcicodec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hcireadlocalcodecssync net/bluetooth/hcisync.c:4546 [inline] hciinitstagesync net/bluetooth/hcisync.c:3441 [inline] hciinit4sync net/bluetooth/hcisync.c:4706 [inline] hciinitsync net/bluetooth/hcisync.c:4742 [inline] hcidevinitsync net/bluetooth/hcisync.c:4912 [inline] hcidevopensync+0x19a9/0x2d30 net/bluetooth/hcisync.c:4994 hcidevdoopen net/bluetooth/hcicore.c:483 [inline] hcipoweron+0x11e/0x560 net/bluetooth/hcicore.c:1015 processonework kernel/workqueue.c:3267 [inline] processscheduledworks+0x8ef/0x14f0 kernel/workqueue.c:3348 workerthread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 retfromfork+0x4d/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244

References

Affected packages