Linux Kernel Bluetooth NULL Pointer Dereference Vulnerability in hci_uart TTY Management

A NULL pointer dereference vulnerability has been identified in the Linux kernel Bluetooth subsystem, specifically within the hci_uart TTY management functions. This issue arises because the hci_uart_tty_open() function fails to properly handle errors from the percpu_init_rwsem() call, leading to a NULL pointer dereference in hci_uart_tty_close(). The vulnerability is present in the Bluetooth HCI (Host Controller Interface) layer, particularly in the ldisc (line discipline) and serdev (serial device) components.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the Bluetooth subsystem and potentially causing a denial of service by disrupting Bluetooth communications.

Reproduction

The vulnerability can be reproduced by opening a Bluetooth UART TTY device without proper error handling for the initialization of the per-CPU read-write semaphore. This can be done by modifying the Bluetooth HCI UART line discipline to ignore the initialization failure, which will result in a NULL pointer dereference when the TTY device is closed.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.