CVE-2024-50255
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50255
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50255.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50255
- Downstream
- Related
- Published
- 2024-11-09T10:15:08Z
- Modified
- 2025-10-17T16:38:33.289815Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci: fix null-ptr-deref in hcireadsupported_codecs
Fix _hcicmdsyncsk() to return not NULL for unknown opcodes.
_hcicmdsyncsk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hcicc table because hcicmdcompleteevt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmdsync for HCIOPREADLOCALCODECS as there is no hcicc for HCIOPREADLOCALCODECS, which always assumes status = skb->data[0].
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hcipoweron RIP: 0010:hcireadsupportedcodecs+0xb9/0x870 net/bluetooth/hcicodec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hcireadlocalcodecssync net/bluetooth/hcisync.c:4546 [inline] hciinitstagesync net/bluetooth/hcisync.c:3441 [inline] hciinit4sync net/bluetooth/hcisync.c:4706 [inline] hciinitsync net/bluetooth/hcisync.c:4742 [inline] hcidevinitsync net/bluetooth/hcisync.c:4912 [inline] hcidevopensync+0x19a9/0x2d30 net/bluetooth/hcisync.c:4994 hcidevdoopen net/bluetooth/hcicore.c:483 [inline] hcipoweron+0x11e/0x560 net/bluetooth/hcicore.c:1015 processonework kernel/workqueue.c:3267 [inline] processscheduledworks+0x8ef/0x14f0 kernel/workqueue.c:3348 workerthread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 retfromfork+0x4d/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1e67d8641813f1876a42eeb4f532487b8a7fb0a8
- https://git.kernel.org/stable/c/1f1764466c33a4466363b821a25cd65c46a5a793
- https://git.kernel.org/stable/c/48d7c24b7ef6417c68f206566364db1f8087bb23
- https://git.kernel.org/stable/c/5d9054b9f769a8e124c4fa02072437c864726baf
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabfeea476c68afea54c9c050a2d3b19d5d2ee873Fixed5d9054b9f769a8e124c4fa02072437c864726baf
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabfeea476c68afea54c9c050a2d3b19d5d2ee873Fixed1f1764466c33a4466363b821a25cd65c46a5a793
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabfeea476c68afea54c9c050a2d3b19d5d2ee873Fixed48d7c24b7ef6417c68f206566364db1f8087bb23
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedabfeea476c68afea54c9c050a2d3b19d5d2ee873Fixed1e67d8641813f1876a42eeb4f532487b8a7fb0a8
Affected versions
v5.*
v5.15
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.110
v6.1.111
v6.1.112
v6.1.113
v6.1.114
v6.1.115
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f1764466c33a4466363b821a25cd65c46a5a793",
"deprecated": false,
"digest": {
"line_hashes": [
"302367343131711169039527627790240301175",
"333440495997162473258570006214504999949",
"92014669784872249516241643608497222730",
"260126525790276932240829616104244863418",
"183278775395991370272662463667205864435",
"228157217881273740451478243673496019915",
"102534361655168052101843875899411008267",
"111560001982265059554172708429922233477",
"129993520278972743636612600209691591082",
"42864616429881035065373693495409308522",
"43497926851277170074903164702820282763",
"56228475449655457494651618474700416366"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2024-50255-00dfbe2b",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e67d8641813f1876a42eeb4f532487b8a7fb0a8",
"deprecated": false,
"digest": {
"function_hash": "171952866113496352428943823342980740007",
"length": 461.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_status_sk"
},
"id": "CVE-2024-50255-0ca06215",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f1764466c33a4466363b821a25cd65c46a5a793",
"deprecated": false,
"digest": {
"function_hash": "110383836116797230119603664456147949351",
"length": 991.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_sk"
},
"id": "CVE-2024-50255-3ba8f125",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d9054b9f769a8e124c4fa02072437c864726baf",
"deprecated": false,
"digest": {
"function_hash": "171952866113496352428943823342980740007",
"length": 461.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_status_sk"
},
"id": "CVE-2024-50255-636c4b55",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f1764466c33a4466363b821a25cd65c46a5a793",
"deprecated": false,
"digest": {
"function_hash": "171952866113496352428943823342980740007",
"length": 461.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_status_sk"
},
"id": "CVE-2024-50255-77f61b64",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@48d7c24b7ef6417c68f206566364db1f8087bb23",
"deprecated": false,
"digest": {
"line_hashes": [
"302367343131711169039527627790240301175",
"333440495997162473258570006214504999949",
"92014669784872249516241643608497222730",
"260126525790276932240829616104244863418",
"183278775395991370272662463667205864435",
"228157217881273740451478243673496019915",
"102534361655168052101843875899411008267",
"111560001982265059554172708429922233477",
"129993520278972743636612600209691591082",
"42864616429881035065373693495409308522",
"43497926851277170074903164702820282763",
"56228475449655457494651618474700416366"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2024-50255-8213f67a",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d9054b9f769a8e124c4fa02072437c864726baf",
"deprecated": false,
"digest": {
"line_hashes": [
"302367343131711169039527627790240301175",
"333440495997162473258570006214504999949",
"92014669784872249516241643608497222730",
"260126525790276932240829616104244863418",
"183278775395991370272662463667205864435",
"228157217881273740451478243673496019915",
"102534361655168052101843875899411008267",
"111560001982265059554172708429922233477",
"129993520278972743636612600209691591082",
"42864616429881035065373693495409308522",
"43497926851277170074903164702820282763",
"56228475449655457494651618474700416366"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2024-50255-94e5854c",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e67d8641813f1876a42eeb4f532487b8a7fb0a8",
"deprecated": false,
"digest": {
"function_hash": "110383836116797230119603664456147949351",
"length": 991.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_sk"
},
"id": "CVE-2024-50255-b6be3f47",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@48d7c24b7ef6417c68f206566364db1f8087bb23",
"deprecated": false,
"digest": {
"function_hash": "110383836116797230119603664456147949351",
"length": 991.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_sk"
},
"id": "CVE-2024-50255-e3a52781",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e67d8641813f1876a42eeb4f532487b8a7fb0a8",
"deprecated": false,
"digest": {
"line_hashes": [
"302367343131711169039527627790240301175",
"333440495997162473258570006214504999949",
"92014669784872249516241643608497222730",
"260126525790276932240829616104244863418",
"183278775395991370272662463667205864435",
"228157217881273740451478243673496019915",
"102534361655168052101843875899411008267",
"111560001982265059554172708429922233477",
"129993520278972743636612600209691591082",
"42864616429881035065373693495409308522",
"43497926851277170074903164702820282763",
"56228475449655457494651618474700416366"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/hci_sync.c"
},
"id": "CVE-2024-50255-ebebc15e",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d9054b9f769a8e124c4fa02072437c864726baf",
"deprecated": false,
"digest": {
"function_hash": "110383836116797230119603664456147949351",
"length": 991.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_sk"
},
"id": "CVE-2024-50255-f68a1650",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@48d7c24b7ef6417c68f206566364db1f8087bb23",
"deprecated": false,
"digest": {
"function_hash": "171952866113496352428943823342980740007",
"length": 461.0
},
"target": {
"file": "net/bluetooth/hci_sync.c",
"function": "__hci_cmd_sync_status_sk"
},
"id": "CVE-2024-50255-f8b8788c",
"signature_type": "Function",
"signature_version": "v1"
}
]