CVE-2023-54038

The Linux kernel Bluetooth subsystem contains a NULL pointer dereference vulnerability in hci_connect_sco() and hci_connect_cis() functions. The functions return NULL when hci_conn_link() fails to create a link, instead of returning an ERR_PTR as expected by callers like sco_connect() and iso_connect_cis(). This mismatch occurs because sco_connect() at line 266 expects an ERR_PTR on error, but receives a NULL pointer, which is then passed to sco_conn_add(). The function attempts to dereference hcon->hdev, causing a crash [1].

The attack surface requires an attacker to trigger a condition where hci_conn_link() returns NULL, likely through crafted Bluetooth packets or by exhausting resources. No authentication is needed if the device is discoverable and pairing is not enforced. The vulnerability can be exploited remotely by sending malicious Bluetooth frames that cause a link creation failure, then invoking the vulnerable code path [1].

When exploited, the vulnerability leads to a kernel NULL pointer dereference, resulting in a system crash (denial of service). An attacker with physical proximity to a Bluetooth-capable Linux system could repeatedly trigger this to cause instability or prevent Bluetooth functionality. The bug was reported via syzkaller, indicating it is reachable from user space [1].

A patch was applied in the Linux kernel stable tree (commit b4066eb04bb6) and backported to affected versions. The fix changes hci_connect_sco() and hci_connect_cis() to return appropriate ERR_PTR values (e.g., -ENOLINK) instead of NULL, ensuring proper error handling downstream. Users should update to the latest kernel version containing this patch [1].