CVE-2024-50255 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.

__hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]
for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0].

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline]
process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/02/2025

The vulnerability described in CVE-2024-50255 affects the Linux kernel's Bluetooth subsystem, specifically within the HCI (Host Controller Interface) layer. This issue stems from a null pointer dereference that occurs during Bluetooth device initialization, particularly when attempting to read supported codecs. The flaw manifests when the kernel tries to process a command that does not have an entry in the HCI command complete table, leading to improper handling of command responses and subsequent system crashes. The vulnerability is categorized under CWE-476 as a null pointer dereference, which represents a critical security weakness that can lead to system instability and potential denial of service conditions.

The technical root cause lies within the `__hci_cmd_sync_sk()` function, which is responsible for synchronously sending HCI commands and waiting for their responses. When this function encounters an unknown opcode, it returns NULL instead of properly handling the command status. The `hci_read_supported_codecs` function then attempts to dereference this NULL pointer, causing a kernel panic. This behavior is particularly problematic because the HCI command complete event handler assumes that the status field is located at `skb->data[0]` for all opcodes, including those that do not exist in the `hci_cc` table. The KASAN (Kernel Address Sanitizer) trace confirms the null pointer dereference at address 0x70 within the `hci_read_supported_codecs` function, indicating that the system attempts to access memory at an invalid location during command processing.

The operational impact of this vulnerability extends beyond simple system instability, as it can be exploited to cause denial of service attacks against Bluetooth-enabled systems. An attacker could potentially trigger this condition by initiating Bluetooth operations with unsupported or malformed commands, forcing the kernel to crash and restart the Bluetooth subsystem. This type of vulnerability aligns with ATT&CK technique T1499.001, which involves the exploitation of system resource exhaustion or instability through kernel-level vulnerabilities. The affected kernel version 6.9.0 shows that this flaw exists in recent stable releases, indicating that it has been present for some time and could affect a wide range of devices including servers, embedded systems, and mobile platforms that rely on Bluetooth connectivity.

Mitigation strategies for this vulnerability should focus on applying the kernel patch that resolves the null pointer dereference in the HCI command handling logic. The fix ensures that `__hci_cmd_sync_sk()` properly returns error codes rather than NULL for unknown opcodes, preventing the subsequent dereference in `hci_read_supported_codecs`. System administrators should prioritize updating their kernel versions to include this fix, particularly in environments where Bluetooth functionality is critical or where systems may be exposed to untrusted Bluetooth devices. Additionally, monitoring for kernel panic events and system crashes related to Bluetooth operations should be implemented as part of security operations procedures to detect potential exploitation attempts. The vulnerability demonstrates the importance of proper error handling in kernel subsystems and the need for comprehensive testing of command processing logic, especially in protocols where device compatibility and error recovery are essential for system stability.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00218

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!