Luiz Augusto Von Dentz

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0-2024-03-19-intel-next-iLS-24ww14 **Description** The issue is related to possible deadlocks in the Bluetooth management (MGMT) component of the Linux kernel, caused by the `hci cmd sync dequeue` function. This can lead to a task being blocked for more than 120 seconds. The problem is associated with the `mgmt set connectable complete` function and the `hci cmd sync work` workqueue. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the deadlock issue. As a temporary workaround, consider disabling the Bluetooth functionality until a patch is available. Restrict access to the Bluetooth management interface to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to the fixed version Description: The issue arises when `bt debugfs` is not created successfully due to either `CONFIG DEBUG FS` or `CONFIG DEBUG FS ALLOW ALL` being unset. This leads to `iso init()` returning early without setting `iso inited` to true, resulting in duplicate calls to `proto register()`, `bt sock register()`, etc. when `iso init()` is called subsequently. With `CONFIG LIST HARDENED` and `CONFIG BUG ON DATA CORRUPTION` enabled, the duplicate call to `proto register()` triggers a bug. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for this problem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.61 **Description** The issue is related to a use-after-free vulnerability in the `iso sock timeout()` function in the Linux kernel's Bluetooth implementation. This vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs because `conn->sk` may have been unlinked or freed while waiting for `iso conn lock`, so the kernel checks if `conn->sk` is still valid by verifying if it is part of `iso sk list`. **Recommendations** For Linux kernel versions prior to 6.6.61, update to version 6.6.61 or later to resolve the issue. As a temporary workaround, consider restricting access to the Bluetooth functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use-after-free vulnerability in the `hci enhanced setup sync()` function in the Linux kernel's Bluetooth module. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the ACL connection remains valid while `hci enhanced setup sync` is pending on `cmd sync`, leading to a slab-use-after-free error. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the Bluetooth functionality until a patch is available. Restrict access to the vulnerable `hci enhanced setup sync()` function to minimize the risk of exploitation. Avoid using the `hci cmd sync work` API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `hci core` function in the Bluetooth component of the Linux kernel, where the `sent cmd` memory is not freed before freeing `hci dev`, causing a memory leak. This could potentially allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a component in the Linux kernel, specifically the qca component, which has a problem with incorrect input validation. This can lead to information leakage when fetching the firmware build ID. The vulnerability is resolved by adding missing sanity checks and moving the build-id buffer off the stack to prevent leaking stack data through debugfs in case of a malformed build-info reply. There is no information about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a div-by-zero and integer overflow vulnerability in the `l2cap le flowctl init()` function. This vulnerability can be caused by an invalid `hdev->le mtu` value. To fix this, the MTU is moved from `hci dev` to `hci conn` to validate it and stop the connection process earlier if it is invalid. Additionally, a missing validation in `read buffer size()` is added to return an error value if the validation fails. The `hci conn add()` function now returns `ERR PTR()` as it can fail due to a `kzalloc` failure or an invalid MTU value. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider disabling the `l2cap le flowctl init()` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `hdev->le mtu` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns a lack of validation for setsockopt user input in the Linux kernel's Bluetooth functionality, specifically in hci sock. This could potentially allow for unauthorized data copying if user input length is not properly checked before data is copied. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Bluetooth L2CAP protocol in the Linux kernel, where user input is not properly validated for the setsockopt function. This could potentially lead to issues when copying data if the user input length is not checked beforehand. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak has been resolved in the Linux kernel. The issue was related to a leaking buffer allocated to send `MSFT OP LE MONITOR ADVERTISEMENT`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.6 **Description** The issue is related to a deadlock in the Bluetooth module of the Linux kernel. Attempting to do a sock lock on .recvmsg may cause a deadlock. To avoid this, the kernel now uses sk receive queue.lock on bt sock ioctl instead of sock sock. This change prevents a potential Use-After-Free (UAF) condition. The problem was identified when a task was blocked for more than 30 seconds, indicating a deadlock. The call trace shows the sequence of events leading to the deadlock, involving functions such as schedule, schedule, lock sock, and l2cap sock recv cb. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible buffer overflow in the Bluetooth component of the Linux kernel. Specifically, the `struct hci dev info` has a fixed size `name[8]` field, which can cause `strcpy` to attempt to write past its size if `hdev->name` is bigger than that. This problem is fixed by switching to use `strscpy`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the handling of HCI EV IO CAPA REQUEST in the Linux kernel's hci event component. If HCI EV IO CAPA REQUEST is received while HCI OP READ REMOTE EXT FEATURES is yet to be responded, it is assumed that the remote device supports SSP. This assumption should not be made, as the event should not be generated otherwise. The vulnerability may allow an attacker to gain access to confidential information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the Linux kernel's Bluetooth component, specifically in the hci codec module. This leak occurs when the controller supports codecs stored in the local codecs list, but the elements are never freed. The memory leak can be observed, and it may lead to a denial of service. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0-rc2 **Description** The issue is related to a Bluetooth vulnerability in the Linux kernel, specifically an overflow in the L2CAP protocol. By continuously sending L2CAP CONF REQ packets, an attacker can cause the `chan->num conf rsp` variable to increase multiple times, eventually wrapping around the maximum number, which is 255. This is prevented by adding a boundary check with `L2CAP MAX CONF RSP`. The vulnerability can be exploited by sending packets with invalid sizes. **Recommendations** To resolve the issue, update the Linux kernel to version 6.1.0-rc2 or later. As a temporary workaround, consider disabling Bluetooth functionality until a patch is available. Restrict access to the L2CAP protocol to minimize the risk of exploitation. Avoid using the `L2CAP CONF REQ` packet type in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a crash when replugging CSR fake controllers in the Linux kernel's Bluetooth component. It seems that fake CSR 5.0 clones can cause the suspend notifier to be registered twice, leading to a kernel panic. The vulnerability is also related to incorrect locking in the `io tctx exit cb()` function in `io uring/io uring.c`, which can allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.0.10 **Description** The issue is related to an integer wraparound in the `l2cap config req` function in `net/bluetooth/l2cap core.c`, which can be exploited via `L2CAP CONF REQ` packets. This may allow an attacker to execute arbitrary code. **Recommendations** For Linux kernel versions prior to 6.0.10, update to a version 6.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `l2cap config req` function in `net/bluetooth/l2cap core.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel's Bluetooth handling has been identified, specifically in the hci sync function. The problem occurs when the HCI UNREGISTER flag is set, which indicates that hci unregister dev has been called. In this scenario, the hci cmd sync queue function should return an error to prevent a potential use-after-free (uaf) error after a timeout, as the hdev will have been freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory corruption issue exists due to the registration of devices multiple times when multiple connection complete events are received for the same handle. To address this, the code now ignores consequent events for a single connection. The introduction of HCI CONN HANDLE UNSET helps identify new connections, and checks for HCI CONN HANDLE MAX prevent the use of invalid handles. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.