Please disregard the previous email. I have modified the email to plain text format. I apologize for any inconvenience this may have caused. To whom it may concern, I am writing to report a potential security vulnerability in a Bluetooth stack implementation, specifically in the hci_conn_params_add and pair_device functions. The issue identified is a potential null pointer dereference, which can lead to a system crash or other unintended behaviors. The details of the bug are as follows: 1. Affected Components Function: linux/net/bluetooth/hci_core.c hci_conn_params_add Function: linux/net/bluetooth/mgmt.c pair_device Module: Bluetooth connection parameter management Code: https://github.com/torvalds/linux/tree/master Version: the newest version v6.11-rc1 2. Description The hci_conn_params_add function is responsible for adding connection parameters for a Bluetooth device. It first attempts to look up existing parameters using hci_conn_params_lookup. If no existing parameters are found, it allocates a new structure using kzalloc, which will return NULL if the allocation fails. However, the pair_device function, which calls hci_conn_params_add, does not properly handle the case where hci_conn_params_add returns NULL, indicating a failure to allocate memory. The immediate dereference of the returned pointer p without checking for NULL can lead to a null pointer dereference, causing the program to crash. 3. Technical Details struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type) { struct hci_conn_params *params; params = hci_conn_params_lookup(hdev, addr, addr_type); if (params) return params; params = kzalloc(sizeof(*params), GFP_KERNEL); if (!params) { bt_dev_err(hdev, "out of memory"); return NULL; // [BUG] return here } bacpy(¶ms->addr, addr); params->addr_type = addr_type; list_add(¶ms->list, &hdev->le_conn_params); INIT_LIST_HEAD(¶ms->action); params->conn_min_interval = hdev->le_conn_min_interval; params->conn_max_interval = hdev->le_conn_max_interval; params->conn_latency = hdev->le_conn_latency; params->supervision_timeout = hdev->le_supv_timeout; params->auto_connect = HCI_AUTO_CONN_DISABLED; BT_DBG("addr %pMR (type %u)", addr, addr_type); return params; } static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) { ... p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type; // [BUG] P is NULL if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) // [BUG] NULL POINTER DEREFERENCE p->auto_connect = HCI_AUTO_CONN_DISABLED; ... } Vulnerable Code Stack: pair_device calls hci_conn_params_add at line 3458 in linux/net/bluetooth/mgmt.c hci_conn_params_add is called and may return NULL if memory allocation fails at line 2280 in linux/net/bluetooth/hci_core.c pair_device does not check if p is NULL before accessing p->auto_connect. at line 3460 in linux/net/bluetooth/mgmt.c 4. Potential Impact Denial of Service (DoS): If the system encounters this null pointer dereference during runtime, it could crash, leading to a denial of service. Security Concerns: While the primary issue appears to be a potential crash, depending on the context and how the function is used, there may be other security implications such as unintended code execution or information leakage. 5. Exploitation For an attacker to exploit this vulnerability, they would need to: Trigger a condition where hci_conn_params_add returns NULL (such as exhausting system memory). Ensure that the pair_device function is subsequently called with the NULL pointer, causing the null pointer dereference. 6. Mitigation and Recommendations Null Pointer Check: Add a null pointer check after the call to hci_conn_params_add in the pair_devicefunction. Ensure that the function gracefully handles the NULL case, possibly by returning an error code or taking other corrective actions. Example: p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type); if (!p) { bt_dev_err(hdev, "Failed to add connection params"); return -ENOMEM; } I would appreciate your response to this report and any follow-up actions that will be taken. Please free to let me know if any problems. Thank you for your attention to this matter. I look forward to your prompt response. Best regards, Yiwei Zhang Purdue University
