Linux Kernel Bluetooth hci_uart Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Bluetooth hci_uart component of the Linux kernel. This issue arises because the function hci_uart_set_proto() sets a protocol initialization flag before the associated device is fully registered. If a TTY write wakeup occurs during this period, it can trigger a race condition. The hci_uart_tx_wakeup() function may schedule a write task before the device's private data is initialized, leading to a crash when the scheduled task tries to access this uninitialized data.

Impact

Exploitation of this vulnerability causes a kernel crash due to a null pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by setting the Bluetooth hci_uart protocol and triggering a TTY write wakeup before the protocol initialization is complete. This can be done by manually initiating a TTY write operation shortly after setting the protocol, causing the hci_uart_tx_wakeup() function to schedule a write task that accesses uninitialized private data, resulting in a null pointer dereference.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.