NVD Vulnerability Detail

CVE-2024-50255

Summary	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Publication Date	Nov. 9, 2024, 8:15 p.m.
Registration Date	Nov. 10, 2024, 5 a.m.
Last Update	Nov. 15, 2024, 3:10 a.m.

CVSS3.1 : MEDIUM
スコア	5.5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::
cpe:2.3:o:linux:linux_kernel:6.12:rc2::::::
cpe:2.3:o:linux:linux_kernel:6.12:rc4::::::
cpe:2.3:o:linux:linux_kernel:6.12:rc3::::::
cpe:2.3:o:linux:linux_kernel:6.12:rc5::::::
cpe:2.3:o:linux:linux_kernel::::::::	6.7			6.11.7
cpe:2.3:o:linux:linux_kernel::::::::	6.2			6.6.60
cpe:2.3:o:linux:linux_kernel::::::::	5.17			6.1.116

Related information, measures and tools

No	URL	タグ
1	https://git.kernel.org/stable/c/5d9054b9f769a8e124c4fa02072437c864726baf	Patch
2	https://git.kernel.org/stable/c/1f1764466c33a4466363b821a25cd65c46a5a793	Patch
3	https://git.kernel.org/stable/c/48d7c24b7ef6417c68f206566364db1f8087bb23	Patch
4	https://git.kernel.org/stable/c/1e67d8641813f1876a42eeb4f532487b8a7fb0a8	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-476	NULL ポインタデリファレンス	https://cwe.mitre.org/data/definitions/476.html

JVN Vulnerability Information

Linux の Linux Kernel における NULL ポインタデリファレンスに関する脆弱性

Title	Linux の Linux Kernel における NULL ポインタデリファレンスに関する脆弱性
Summary	Linux の Linux Kernel には、NULL ポインタデリファレンスに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 30, 2024, midnight
Registration Date	Nov. 15, 2024, 4:16 p.m.
Last Update	Nov. 15, 2024, 4:16 p.m.

Affected System

Linux

Linux Kernel 5.17 以上 6.1.116 未満

Linux Kernel 6.12

Linux Kernel 6.2 以上 6.6.60 未満

Linux Kernel 6.7 以上 6.11.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-50255	https://www.cve.org/CVERecord?id=CVE-2024-50255
National Vulnerability Database (NVD)
2	CVE-2024-50255	https://nvd.nist.gov/vuln/detail/CVE-2024-50255

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-476	http://cwe.mitre.org/data/definitions/476.html

ベンダー情報

No	Name	URL
Kernel.org git repositories
1	Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (1e67d86)	https://git.kernel.org/stable/c/1e67d8641813f1876a42eeb4f532487b8a7fb0a8
2	Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (1f17644)	https://git.kernel.org/stable/c/1f1764466c33a4466363b821a25cd65c46a5a793
3	Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (48d7c24)	https://git.kernel.org/stable/c/48d7c24b7ef6417c68f206566364db1f8087bb23
4	Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (5d9054b)	https://git.kernel.org/stable/c/5d9054b9f769a8e124c4fa02072437c864726baf
Linux Kernel
5	Linux Kernel Archives	https://www.kernel.org

Change Log

No	Changed Details	Date of change
1	[2024年11月15日] 掲載	Nov. 15, 2024, 1:09 p.m.