Linux Kernel Bluetooth L2CAP Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Bluetooth L2CAP implementation of the Linux kernel. This issue occurs in the L2CAP socket readiness callback, where the socket pointer is not properly checked for null before use. The vulnerability has been observed to cause a kernel panic, leading to a fatal exception and a halt in kernel operations. The issue was detected using the Kernel Address Sanitizer (KASAN), which reported the null pointer dereference in a specific range.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a fatal exception that stops all kernel operations.

Reproduction

The vulnerability can be reproduced by triggering the L2CAP socket readiness callback with a null socket pointer. This can be done by manipulating L2CAP channel operations to omit the necessary socket data, causing the callback to attempt to access a null pointer. The issue manifests as a kernel panic, indicating a successful exploitation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.