Bug 1733874 (CVE-2019-10207)

Summary: CVE-2019-10207 kernel: null-pointer dereference in hci_uart_set_flow_control
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, mchehab, mjg59, mlangsdo, nmurray, plougher, rvrbovsk, security-response-team, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s Bluetooth implementation of UART. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:53:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1734236, 1734237, 1734238, 1734239, 1734240, 1734242    
Bug Blocks: 1733099    

Description Dhananjay Arunesh 2019-07-29 05:52:58 UTC 
A flaw was found in the Linux kernels bluetooth implementation of UART. A local attacker with write permissions to the bluetooth device can cause a system crash by issuing a specially crafted ioctl function call.

Terminal control operations set on this device node will end up attempting to jump to the null (0x0) page for instruction execution. The kernel code can attempt to execute code in a worker-thread context which does not have the null page mapped.

At this time it is understood to be a local denial of service and no privilege escalation is available.


Upstream submission:
https://lore.kernel.org/linux-bluetooth/20190725120909.31235-1-vdronov@redhat.com/T/#u

Oss-security discussion:
https://www.openwall.com/lists/oss-security/2019/07/25/1
Comment 1 Wade Mealing 2019-07-30 04:13:47 UTC 
Note:

You must have bluetooth hardware in the system to be affected by this flaw (systems using the kernel modules hci_ath,hci_bcm, hci_intel, hci_mrvl, hci_qca) The modules can be unloaded and blacklisted to prevent a local attacker from exploiting this issue.
Comment 5 Wade Mealing 2019-07-30 04:22:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1734242]
Comment 7 errata-xmlrpc 2019-11-05 20:35:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
Comment 8 errata-xmlrpc 2019-11-05 21:06:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
Comment 9 Product Security DevOps Team 2019-11-06 00:53:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10207
Comment 10 errata-xmlrpc 2020-03-31 19:11:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
Comment 11 errata-xmlrpc 2020-03-31 19:20:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070