CVE-2022-50339
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50339
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50339.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50339
- Downstream
- Related
- Published
- 2025-09-16T16:11:19Z
- Modified
- 2025-10-21T12:32:33.869276Z
- Summary
- Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: avoid hcidevtestandsetflag() in mgmtinit_hdev()
syzbot is again reporting attempt to cancel uninitialized work at mgmtindexremoved() [1], for setting of HCIMGMT flag from mgmtinithdev() from hcimgmtcmd() from hcisocksendmsg() can race with testing of HCIMGMT flag from mgmtindexremoved() from hcisockbind() due to lack of serialization via hcidevlock().
Since mgmtinithdev() is called with mgmtchanlistlock held, we can safely split hcidevtestandsetflag() into hcidevtestflag() and hcidevsetflag(). Thus, in order to close this race, set HCIMGMT flag after INITDELAYED_WORK() completed.
This is a local fix based on mgmtchanlistlock. Lack of serialization via hcidevlock() might be causing different race conditions somewhere else. But a global fix based on hcidev_lock() should deserve a future patch.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3f2893d3c142986aa935821460cb3adb77044722Fixede53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3f2893d3c142986aa935821460cb3adb77044722Fixedf74ca25d6d6629ffd4fd80a1a73037253b57d06b
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6",
"target": {
"function": "mgmt_init_hdev",
"file": "net/bluetooth/mgmt.c"
},
"digest": {
"function_hash": "3909338457473324597184253432715776756",
"length": 366.0
},
"deprecated": false,
"id": "CVE-2022-50339-0a7dc12e",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f74ca25d6d6629ffd4fd80a1a73037253b57d06b",
"target": {
"file": "net/bluetooth/mgmt.c"
},
"digest": {
"line_hashes": [
"209184186923984663168571331086766454933",
"285768586794515007643306371206884866317",
"61647721783885470149336563043455863182",
"1306626252597129598434339481122836980",
"36940912711881891743912345420701115601",
"304076993267024565156143473496138982733",
"198206099864455178334535752371180059701",
"156375614781468304052552225929793128872"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-50339-0c214a52",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f74ca25d6d6629ffd4fd80a1a73037253b57d06b",
"target": {
"function": "mgmt_init_hdev",
"file": "net/bluetooth/mgmt.c"
},
"digest": {
"function_hash": "108425190999452406988261951352020887771",
"length": 424.0
},
"deprecated": false,
"id": "CVE-2022-50339-48a1791d",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6",
"target": {
"file": "net/bluetooth/mgmt.c"
},
"digest": {
"line_hashes": [
"209184186923984663168571331086766454933",
"285768586794515007643306371206884866317",
"61647721783885470149336563043455863182",
"1306626252597129598434339481122836980",
"149834234613043824299481048219548319522",
"244976364847359522369286424842446518789",
"15115396192774748443593483991386967935",
"156375614781468304052552225929793128872"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-50339-55dcafff",
"signature_type": "Line",
"signature_version": "v1"
}
]