In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Check socket flag instead of hcon
This fixes the following Smatch static checker warning:
net/bluetooth/iso.c:1364 isosockrecvmsg() error: we previously assumed 'pi->conn->hcon' could be null (line 1359)
net/bluetooth/iso.c 1347 static int isosockrecvmsg(struct socket *sock, struct msghdr *msg, 1348 sizet len, int flags) 1349 { 1350 struct sock *sk = sock->sk; 1351 struct isopinfo *pi = isopi(sk); 1352 1353 BTDBG("sk %p", sk); 1354 1355 if (testandclearbit(BTSKDEFERSETUP, &btsk(sk)->flags)) { 1356 locksock(sk); 1357 switch (sk->skstate) { 1358 case BTCONNECT2: 1359 if (pi->conn->hcon && ^^^^^^^^^^^^^^ If ->hcon is NULL
1360 testbit(HCICONNPASYNC, &pi->conn->hcon->flags)) { 1361 isoconnbigsync(sk); 1362 sk->skstate = BTLISTEN; 1363 } else { --> 1364 isoconndeferaccept(pi->conn->hcon); ^^^^^^^^^^^^^^ then we're toast
1365 sk->skstate = BTCONFIG; 1366 } 1367 releasesock(sk); 1368 return 0; 1369 case BTCONNECTED: 1370 if (testbit(BTSKPASYNC,
[
{
"id": "CVE-2024-42141-0ffe6f7e",
"signature_type": "Line",
"digest": {
"line_hashes": [
"138547135218748938702321148101487892693",
"71738016062509215659188961695641870651",
"229167979087658191302378674622760835804",
"114928845431385789613082996088642506788",
"234176300947391100601794000158437688197"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@045669710464a21c67e690ef14698fd71857cb11",
"deprecated": false
},
{
"id": "CVE-2024-42141-2452875e",
"signature_type": "Function",
"digest": {
"length": 915.0,
"function_hash": "46871151905726627243158966421996583019"
},
"signature_version": "v1",
"target": {
"function": "iso_sock_recvmsg",
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33fabef489169c6db87843ef23351ed0d5e51ad8",
"deprecated": false
},
{
"id": "CVE-2024-42141-3b791f4d",
"signature_type": "Function",
"digest": {
"length": 915.0,
"function_hash": "46871151905726627243158966421996583019"
},
"signature_version": "v1",
"target": {
"function": "iso_sock_recvmsg",
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596b6f081336e77764ca35cfeab66d0fcdbe544e",
"deprecated": false
},
{
"id": "CVE-2024-42141-60e3e76d",
"signature_type": "Function",
"digest": {
"length": 721.0,
"function_hash": "195283864351929115160813170644194428489"
},
"signature_version": "v1",
"target": {
"function": "iso_sock_recvmsg",
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@045669710464a21c67e690ef14698fd71857cb11",
"deprecated": false
},
{
"id": "CVE-2024-42141-923e3ead",
"signature_type": "Line",
"digest": {
"line_hashes": [
"138547135218748938702321148101487892693",
"71738016062509215659188961695641870651",
"229167979087658191302378674622760835804",
"114928845431385789613082996088642506788",
"234176300947391100601794000158437688197"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596b6f081336e77764ca35cfeab66d0fcdbe544e",
"deprecated": false
},
{
"id": "CVE-2024-42141-f9ba6781",
"signature_type": "Line",
"digest": {
"line_hashes": [
"138547135218748938702321148101487892693",
"71738016062509215659188961695641870651",
"229167979087658191302378674622760835804",
"114928845431385789613082996088642506788",
"234176300947391100601794000158437688197"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "net/bluetooth/iso.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33fabef489169c6db87843ef23351ed0d5e51ad8",
"deprecated": false
}
]