Bug 1910048 (CVE-2020-35499) - CVE-2020-35499 kernel: NULL pointer dereference in sco_sock_getsockopt function
Summary: CVE-2020-35499 kernel: NULL pointer dereference in sco_sock_getsockopt function
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35499
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1909775
TreeView+ depends on / blocked
 
Reported: 2020-12-22 13:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-19 17:57 UTC (History)
45 users (show)

Fixed In Version: kernel 5.11
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.
Clone Of:
Environment:
Last Closed: 2020-12-31 06:27:37 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-22 13:02:57 UTC
A NULL pointer dereference flaw may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, When using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.

A missing check for connected socket will cause a crash due to sco_pi(sk)->conn being NULL.


Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f6b8c6b554398

Comment 3 Rohit Keshri 2020-12-23 13:22:27 UTC
Statement:

There was no shipped kernel version were seen affected with this problem.

Comment 4 Rohit Keshri 2020-12-23 13:31:10 UTC
Mitigation:

Mitigation for this issue is not available with the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 6 Product Security DevOps Team 2020-12-31 06:27:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35499


Note You need to log in before you can comment on or make changes to this bug.