CVE-2022-50447

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix crash on hci_create_cis_sync When attempting to connect multiple ISO sockets without using DEFER_SETUP may result in the following crash: BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0 Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50 CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted 6.0.0-rc7-02243-gb84a13ff4eda #4373 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x19/0x27 kasan_report+0xbc/0xf0 ? hci_create_cis_sync+0x18b/0x2b0 hci_create_cis_sync+0x18b/0x2b0 ? get_link_mode+0xd0/0xd0 ? __ww_mutex_lock_slowpath+0x10/0x10 ? mutex_lock+0xe0/0xe0 ? get_link_mode+0xd0/0xd0 hci_cmd_sync_work+0x111/0x190 process_one_work+0x427/0x650 worker_thread+0x87/0x750 ? process_one_work+0x650/0x650 kthread+0x14e/0x180 ? kthread_exit+0x50/0x50 ret_from_fork+0x22/0x30 </TASK>

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 2%

Techniques & Countermeasures

• CWE-476•NULL Pointer Dereference

  The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

• linux•linux

  ≥ 26afbd826ee326e63a334c37fd45e82e50a615ec, < a190cd9dc62d6ebeb679c1abe9dda4162dfefc84 | ≥ 26afbd826ee326e63a334c37fd45e82e50a615ec, < 09a3b0c9c7c6b10587fbb610b718014703cff341 | ≥ 26afbd826ee326e63a334c37fd45e82e50a615ec, < 50757a259ba78c4e938b5735e76ffec6cd0c942e | 6.0

• linux•linux_kernel

  ≥ 6.0, < 6.0.16 | ≥ 6.1, < 6.1.2

References (3)

• https://git.kernel.org/stable/c/a190cd9dc62d6ebeb679c1abe9dda4162dfefc84
• https://git.kernel.org/stable/c/09a3b0c9c7c6b10587fbb610b718014703cff341
• https://git.kernel.org/stable/c/50757a259ba78c4e938b5735e76ffec6cd0c942e