In the Linux kernel, a vulnerability regarding Bluetooth communications has emerged with the reference CVE-2024-35933. This particular vulnerability has been recently addressed by a patch that specifically resolves a null pointer dereference issue within the "Bluetooth: btintel: Read Version" function. As Bluetooth is an essential component for many devices, understanding this vulnerability, the patch, and the techniques to mitigate the risks associated with it is crucial for maintaining a safe environment for users and developers.

Exploit Details

The problem stems from a null pointer dereference in the "Bluetooth: btintel: Read Version" function. When the function "hci_cmd_sync_complete()" is triggered, the socket buffer (skb) can be NULL if there was an error allocating the buffer earlier in the same function. If this happens, hdev->req_skb also becomes NULL and leads to a crash due to dereferencing a NULL pointer.

Here is a snippet of the code containing the vulnerability

/* Read Intel version information
 * This will identify Intel-based hardware, such as the HCI.
 */
int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
{
    struct sk_buff *skb;

    skb = __hci_cmd_sync(hdev, xfc05, , NULL, HCI_INIT_TIMEOUT);
    if (IS_ERR(skb)) {
        bt_dev_err(hdev, "Failed to read Intel version information (%ld)",
                   PTR_ERR(skb));
        return PTR_ERR(skb);
    }

    if (skb->len != sizeof(*ver)) {
        bt_dev_err(hdev, "Intel version event size mismatch (%u != %zu)",
                   skb->len, sizeof(*ver));
        kfree_skb(skb);
        return -EILSEQ;
    }

    memcpy(ver, skb->data, sizeof(*ver));

    kfree_skb(skb);

    return ;
}

To resolve this issue, a patch has been developed that adds some error checking and null pointer protection. The code snippet below illustrates the changes implemented to fix the vulnerability:

int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
{
    struct sk_buff *skb;

    skb = __hci_cmd_sync(hdev, xfc05, , NULL, HCI_INIT_TIMEOUT);
    if (IS_ERR(skb)) {
        bt_dev_err(hdev, "Failed to read Intel version information (%ld)",
                   PTR_ERR(skb));
        return PTR_ERR(skb);
    }

+   if (!skb) {
+       bt_dev_err(hdev, "Failed to read Intel version information (null)");
+       return -ENOMEM;
+   }

    if (skb->len != sizeof(*ver)) {
        bt_dev_err(hdev, "Intel version event size mismatch (%u != %zu)",
                   skb->len, sizeof(*ver));
        kfree_skb(skb);
        return -EILSEQ;
    }

    memcpy(ver, skb->data, sizeof(*ver));

    kfree_skb(skb);

    return ;
}

The patch adds a new error check for the skb value, ensuring that a NULL value will be caught and preventing the NULL pointer dereference from occurring.

- Linux kernel mailing list - Patch details
- Linux kernel Git commit

Conclusion

The team responsible for maintaining the Linux kernel has recently identified and resolved a Bluetooth vulnerability (CVE-2024-35933) that caused a null pointer dereference issue. This vulnerability is now fixed by a patch that adds proper error checking and null pointer protection to the Bluetooth btintel_read_version function. We recommend that anybody working with a Linux kernel version that includes this vulnerability update their systems accordingly to avoid potential security risks or crashes related to Bluetooth functionality.

Timeline

Published on: 05/19/2024 11:15:49 UTC
Last modified on: 06/27/2024 13:15:59 UTC