CVE-2024-50255

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-50255
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50255.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50255
Downstream
Related
Published
2024-11-09T10:15:08.658Z
Modified
2026-05-18T05:57:57.551497609Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci: fix null-ptr-deref in hcireadsupported_codecs

Fix _hcicmdsyncsk() to return not NULL for unknown opcodes.

_hcicmdsyncsk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hcicc table because hcicmdcompleteevt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmdsync for HCIOPREADLOCALCODECS as there is no hcicc for HCIOPREADLOCALCODECS, which always assumes status = skb->data[0].

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hcipoweron RIP: 0010:hcireadsupportedcodecs+0xb9/0x870 net/bluetooth/hcicodec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hcireadlocalcodecssync net/bluetooth/hcisync.c:4546 [inline] hciinitstagesync net/bluetooth/hcisync.c:3441 [inline] hciinit4sync net/bluetooth/hcisync.c:4706 [inline] hciinitsync net/bluetooth/hcisync.c:4742 [inline] hcidevinitsync net/bluetooth/hcisync.c:4912 [inline] hcidevopensync+0x19a9/0x2d30 net/bluetooth/hcisync.c:4994 hcidevdoopen net/bluetooth/hcicore.c:483 [inline] hcipoweron+0x11e/0x560 net/bluetooth/hcicore.c:1015 processonework kernel/workqueue.c:3267 [inline] processscheduledworks+0x8ef/0x14f0 kernel/workqueue.c:3348 workerthread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 retfromfork+0x4d/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50255.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
abfeea476c68afea54c9c050a2d3b19d5d2ee873
Fixed
5d9054b9f769a8e124c4fa02072437c864726baf
Fixed
1f1764466c33a4466363b821a25cd65c46a5a793
Fixed
48d7c24b7ef6417c68f206566364db1f8087bb23
Fixed
1e67d8641813f1876a42eeb4f532487b8a7fb0a8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50255.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.1.116
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.60
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50255.json"