Linux Kernel Bluetooth L2CAP Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Bluetooth L2CAP implementation of the Linux kernel. This issue arises in the 'l2cap_sock_state_change_cb()' function, where a missing null check can lead to a dereference of a null pointer. The vulnerability has been addressed by adding a null guard, similar to those already present in the 'l2cap_sock_resume_cb()' and 'l2cap_sock_ready_cb()' functions.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a crash or undefined behavior in the application.

Reproduction

The vulnerability can be reproduced by invoking the 'l2cap_sock_state_change_cb()' function with a 'l2cap_chan' structure that has a null 'data' field. This can be done by manipulating the state of a Bluetooth L2CAP channel to create a scenario where the 'data' field is not properly initialized before the callback is called.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.