A flaw was found in the Linux kernels bluetooth implementation of UART. A local attacker with write permissions to the bluetooth device can cause a system crash by issuing a specially crafted ioctl function call. Terminal control operations set on this device node will end up attempting to jump to the null (0x0) page for instruction execution. The kernel code can attempt to execute code in a worker-thread context which does not have the null page mapped. At this time it is understood to be a local denial of service and no privilege escalation is available. Upstream submission: https://lore.kernel.org/linux-bluetooth/20190725120909.31235-1-vdronov@redhat.com/T/#u Oss-security discussion: https://www.openwall.com/lists/oss-security/2019/07/25/1
Note: You must have bluetooth hardware in the system to be affected by this flaw (systems using the kernel modules hci_ath,hci_bcm, hci_intel, hci_mrvl, hci_qca) The modules can be unloaded and blacklisted to prevent a local attacker from exploiting this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1734242]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10207
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070