CVE-2024-26903 Information

Apr 18, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

During our fuzz testing of the connection and disconnection process at the RFCOMM layer we discovered this bug. By comparing the packets from a normal connection and disconnection process with the testcase that triggered a KASAN report. We analyzed the cause of this bug as follows:

In the packets captured during a normal connection the host sends a Read Encryption Key Size type of HCI_CMD packet (Command Opcode: 0x1408) to the controller to inquire the length of encryption key.After receiving this packet the controller immediately replies with a Command Completepacket (Event Code: 0x0e) to return the Encryption Key Size.
In our fuzz test case the timing of the controller’s response to this packet was delayed to an unexpected point: after the RFCOMM and L2CAP layers had disconnected but before the HCI layer had disconnected.
After receiving the Encryption Key Size Response at the time described in point 2 the host still called the rfcomm_check_security function. However by this time struct l2cap_conn conn = l2cap_pi(sk)->chan->conn; had already been released and when the function executed return hci_conn_security(conn->hcon d->sec_level auth_type d->out); specifically when accessing conn->hcon a null-ptr-deref error occurred.

To fix this bug check if sk->sk_state is BT_CLOSED before calling rfcomm_recv_frame in rfcomm_process_rx.

Reference

Share on: