In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
During our fuzz testing of the connection and disconnection process at the RFCOMM layer, we discovered this bug. By comparing the packets from a normal connection and disconnection process with the testcase that triggered a KASAN report. We analyzed the cause of this bug as follows:
- In the packets captured during a normal connection, the host sends a
Read Encryption Key Size type of HCI_CMD packet
(Command Opcode: 0x1408) to the controller to inquire the length of
encryption key.After receiving this packet, the controller immediately
replies with a Command Completepacket (Event Code: 0x0e) to return the
Encryption Key Size.
- In our fuzz test case, the timing of the controller's response to this
- After receiving the Encryption Key Size Response at the time described
struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
had already been released, and when the function executed
return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);,
specifically when accessing conn->hcon, a null-ptr-deref error occurred.To fix this bug, check if sk->sk_state is BT_CLOSED before calling
rfcomm_recv_frame in rfcomm_process_rx.