Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL). sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller. The same issue exists for iso_connect_cis() calling hci_connect_cis(). Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL.
References
- https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383
- https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad
FAQ
What is CVE-2023-54038?
CVE-2023-54038 is a documented vulnerability. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no ...
How severe is CVE-2023-54038?
CVSS scoring is not yet available for CVE-2023-54038. Check NVD for updates.
Is there a patch for CVE-2023-54038?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.