Linux Kernel Bluetooth Null Pointer Dereference Vulnerability in L2CAP Socket Management

A null pointer dereference vulnerability has been identified in the Linux kernel's Bluetooth implementation, specifically within the L2CAP socket management functions. The issue arises in the 'l2cap_sock_resume_cb()' function, which was reported by syzbot. This function can inadvertently access a null pointer, leading to a crash. The problem occurs because 'l2cap_sock_kill()' and 'l2cap_sock_resume_cb()' are executed in a way that allows the former to kill a socket while the latter attempts to resume it, creating a race condition. The vulnerability has been addressed by adding a check to ensure that the channel data is not null before accessing the socket.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a kernel crash. This type of denial-of-service condition can disrupt system operations by causing the kernel to panic and potentially restart.

Reproduction

The vulnerability can be reproduced by triggering the 'l2cap_sock_kill()' function to terminate a socket while simultaneously invoking 'l2cap_sock_resume_cb()' to resume it. This can be done by manipulating Bluetooth L2CAP socket events, creating a race condition that the vulnerability exploits.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.