cve/published/2024/CVE-2024-42141.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-42141: Bluetooth: ISO: Check socket flag instead of hcon

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Check socket flag instead of hcon

This fixes the following Smatch static checker warning:

net/bluetooth/iso.c:1364 iso_sock_recvmsg()
error: we previously assumed 'pi->conn->hcon' could be null (line 1359)

net/bluetooth/iso.c
1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1348                             size_t len, int flags)
1349 {
1350         struct sock *sk = sock->sk;
1351         struct iso_pinfo *pi = iso_pi(sk);
1352
1353         BT_DBG("sk %p", sk);
1354
1355         if (test_and_clear_bit(BT_SK_DEFER_SETUP,
                                      &bt_sk(sk)->flags)) {
1356                 lock_sock(sk);
1357                 switch (sk->sk_state) {
1358                 case BT_CONNECT2:
1359                         if (pi->conn->hcon &&
                                     ^^^^^^^^^^^^^^ If ->hcon is NULL

1360                             test_bit(HCI_CONN_PA_SYNC,
                                         &pi->conn->hcon->flags)) {
1361                                 iso_conn_big_sync(sk);
1362                                 sk->sk_state = BT_LISTEN;
1363                         } else {
--> 1364                         iso_conn_defer_accept(pi->conn->hcon);
                                                       ^^^^^^^^^^^^^^
                                                       then we're toast

1365                                 sk->sk_state = BT_CONFIG;
1366                         }
1367                         release_sock(sk);
1368                         return 0;
1369                 case BT_CONNECTED:
1370                         if (test_bit(BT_SK_PA_SYNC,

The Linux kernel CVE team has assigned CVE-2024-42141 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.6 with commit fbdc4bc47268953c80853489f696e02d61f9a2c6 and fixed in 6.6.39 with commit 045669710464a21c67e690ef14698fd71857cb11
	Issue introduced in 6.6 with commit fbdc4bc47268953c80853489f696e02d61f9a2c6 and fixed in 6.9.9 with commit 33fabef489169c6db87843ef23351ed0d5e51ad8
	Issue introduced in 6.6 with commit fbdc4bc47268953c80853489f696e02d61f9a2c6 and fixed in 6.10 with commit 596b6f081336e77764ca35cfeab66d0fcdbe544e
	Issue introduced in 6.5.12 with commit c03a10bd5b6ccb22921e04bcddc987410df7e7a9

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42141
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/bluetooth/iso.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/045669710464a21c67e690ef14698fd71857cb11
	https://git.kernel.org/stable/c/33fabef489169c6db87843ef23351ed0d5e51ad8
	https://git.kernel.org/stable/c/596b6f081336e77764ca35cfeab66d0fcdbe544e