Bug 1733874 (CVE-2019-10207) - CVE-2019-10207 kernel: null-pointer dereference in hci_uart_set_flow_control
Summary: CVE-2019-10207 kernel: null-pointer dereference in hci_uart_set_flow_control
Alias: CVE-2019-10207
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1734236 1734237 1734238 1734239 1734240 1734242
Blocks: 1733099
TreeView+ depends on / blocked
Reported: 2019-07-29 05:52 UTC by Dhananjay Arunesh
Modified: 2019-11-06 00:53 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s Bluetooth implementation of UART. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
Clone Of:
Last Closed: 2019-11-06 00:53:11 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3309 None None None 2019-11-05 20:35:48 UTC
Red Hat Product Errata RHSA-2019:3517 None None None 2019-11-05 21:06:32 UTC

Description Dhananjay Arunesh 2019-07-29 05:52:58 UTC
A flaw was found in the Linux kernels bluetooth implementation of UART. A local attacker with write permissions to the bluetooth device can cause a system crash by issuing a specially crafted ioctl function call.

Terminal control operations set on this device node will end up attempting to jump to the null (0x0) page for instruction execution. The kernel code can attempt to execute code in a worker-thread context which does not have the null page mapped.

At this time it is understood to be a local denial of service and no privilege escalation is available.

Upstream submission:

Oss-security discussion:

Comment 1 Wade Mealing 2019-07-30 04:13:47 UTC

You must have bluetooth hardware in the system to be affected by this flaw (systems using the kernel modules hci_ath,hci_bcm, hci_intel, hci_mrvl, hci_qca) The modules can be unloaded and blacklisted to prevent a local attacker from exploiting this issue.

Comment 5 Wade Mealing 2019-07-30 04:22:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1734242]

Comment 7 errata-xmlrpc 2019-11-05 20:35:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 8 errata-xmlrpc 2019-11-05 21:06:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517

Comment 9 Product Security DevOps Team 2019-11-06 00:53:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.