CVE-2024-36011 - Bluetooth: HCI: Fix potential null-ptr-deref in hci_le_big_sync_established_evt() in Linux Kernel
In this long-read post, we delve into a recently resolved security vulnerability identified as CVE-2024-36011. This vulnerability was discovered in the HCI (Host Controller Interface) subsystem of the Linux kernel, specifically within the Bluetooth stack. The vulnerability, a potential null pointer dereference, could affect system stability and security. This post will take you through the details of this vulnerability, including the relevant code snippets and links to the original references.
Background
The HCI is a critical component within the Bluetooth stack responsible for communication between the host and the Bluetooth controller. The particular function in question, hci_le_big_sync_established_evt(), is part of the HCI subsystem and manages the establishment of BIG (Burst Isochronous Groups) synchronization with connected devices.
Vulnerability Details
The vulnerability identified in the hci_le_big_sync_established_evt() function relates to a potential null pointer dereference. This is due to improper handling of the HCI_LE_BIG_SYNC_ESTABLISHED event, which could result in null pointer dereference and subsequent system crash or instability. Additionally, it may be possible for an attacker to exploit this vulnerability and execute arbitrary code with kernel privileges.
The following code snippet shows the vulnerable portion of the HCI code
void hci_le_big_sync_established_evt(struct hci_dev *hdev, struct sk_buff *skb)
{
...
hci_conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(evt->conn_handle));
if (!hci_conn) {
...
hci_conn->le_conn_min_interval = __le24_to_cpu(evt->conn_min_interval);
}
...
}
In this code snippet, the function hci_conn_hash_lookup_handle() is used to look up an hci_conn object associated with a given connection handle. However, due to improper error handling, it is possible for the variable hci_conn to be NULL when the subsequent assignment is made, resulting in a null pointer dereference.
Exploit and Mitigation
Currently, there are no known public exploits for this vulnerability. However, a theoretical exploit could involve an attacker with physical proximity to a vulnerable device sending malicious Bluetooth packets to trigger the null pointer dereference and thus crashing the system or enabling arbitrary code execution.
The following patch effectively mitigates the vulnerability by adding proper error handling for null hci_conn:
void hci_le_big_sync_established_evt(struct hci_dev *hdev, struct sk_buff *skb)
{
...
hci_conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(evt->conn_handle));
// Proper handling of NULL hci_conn
if (!hci_conn) {
bt_dev_err(hdev, "unknown connection handle x%4.4x", handle);
return;
}
hci_conn->le_conn_min_interval = __le24_to_cpu(evt->conn_min_interval);
...
}
This patch adds an error handling check for a NULL hci_conn immediately after the call to hci_conn_hash_lookup_handle(), ensuring that the vulnerable assignment is never reached with a NULL pointer.
Original References
1. Linux Kernel Commit: 8918856f16de ("Bluetooth: HCI: Fix potential null-ptr-deref")
2. Bluetooth Specification: Core_v5.3_vol_2_part_e_7.7.66_HCI_LE_BIG_Sync_Established_Event
Conclusion
CVE-2024-36011 represents a potential null pointer dereference vulnerability in the Linux kernel's HCI subsystem. The primary outcome of exploiting this vulnerability would likely be a system crash or instability, but there is the potential for arbitrary code execution. This vulnerability has been mitigated through the implementation of proper error handling. Device manufacturers and users are encouraged to update their Linux kernel to include the latest security fixes to help mitigate this vulnerability and others like it.
Timeline
Published on: 05/23/2024 07:15:08 UTC
Last modified on: 05/29/2024 05:32:55 UTC