CVE-2024-35967

2024-05-2010:15:11

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux

kernel

bluetooth

vulnerability

fix

sco

setsockopt

user input

validation

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix not validating setsockopt user input

syzbot reported sco_sock_setsockopt() is copying data without
checking user input length.

BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90
net/bluetooth/sco.c:893
Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578

Affected configurations

Vulners

Node

linuxlinux_kernelRange3.8–5.10.216

linuxlinux_kernelRange5.11.0–6.1.87

linuxlinux_kernelRange6.2.0–6.6.28

linuxlinux_kernelRange6.7.0–6.8.7

linuxlinux_kernelRange6.9.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "include/net/bluetooth/bluetooth.h",
      "net/bluetooth/sco.c"
    ],
    "versions": [
      {
        "version": "b96e9c671b05",
        "lessThan": "b0e30c37695b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b96e9c671b05",
        "lessThan": "7bc65d23ba20",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b96e9c671b05",
        "lessThan": "72473db90900",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b96e9c671b05",
        "lessThan": "419a0ffca701",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b96e9c671b05",
        "lessThan": "51eda36d33e4",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "include/net/bluetooth/bluetooth.h",
      "net/bluetooth/sco.c"
    ],
    "versions": [
      {
        "version": "3.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.216",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.87",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.28",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.7",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]