CVE-2023-54164 (GCVE-0-2023-54164)
Vulnerability from cvelistv5
Published
2025-12-30 12:08
Modified
2025-12-30 12:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: fix iso_conn related locking and validity issues sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations that check/update sk_state and access conn should hold lock_sock, otherwise they can race. The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, which is how it is in connect/disconnect_cfm -> iso_conn_del -> iso_chan_del. Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock around updating sk_state and conn. iso_conn_del must not occur during iso_connect_cis/bis, as it frees the iso_conn. Hold hdev->lock longer to prevent that. This should not reintroduce the issue fixed in commit 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency"), since the we acquire locks in order. We retain the fix in iso_sock_connect to release lock_sock before iso_connect_* acquires hdev->lock. Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency"). We retain the fix in iso_conn_ready to not acquire iso_conn_lock before lock_sock. iso_conn_add shall return iso_conn with valid hcon. Make it so also when reusing an old CIS connection waiting for disconnect timeout (see __iso_sock_close where conn->hcon is set to NULL). Trace with iso_conn_del after iso_chan_add in iso_connect_cis: =============================================================== iso_sock_create:771: sock 00000000be9b69b7 iso_sock_init:693: sk 000000004dff667e iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_connect:875: sk 000000004dff667e iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e __iso_chan_add:214: conn 00000000daf8625e iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 iso_sock_clear_timer:117: sock 000000004dff667e state 3 <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still running at this point> iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 hci_conn_unlink:1102: hci0: hcon 000000007b65d182 hci_chan_list_flush:2780: hcon 000000007b65d182 iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it must be that iso_chan_del occurred between iso_chan_add and end of iso_connect_cis.> BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth =============================================================== Trace with iso_conn_del before iso_chan_add in iso_connect_cis: =============================================================== iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 hci_dev_put:1487: hci0 orig refcnt 21 hci_event_packet:7607: hci0: e ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: c524f9561c657b8af26dd4f67092b8928261aa62
Version: 241f51931c35085449502c10f64fb3ecd6e02171
Version: 241f51931c35085449502c10f64fb3ecd6e02171
Version: 2539cbc625c560d5432e2f0fc04bfe4a889cf737
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e969bfed84c1f88dc722a678ee08488e86f0ec1a",
              "status": "affected",
              "version": "c524f9561c657b8af26dd4f67092b8928261aa62",
              "versionType": "git"
            },
            {
              "lessThan": "88ad50f2b843a510bd7c922c0a4e2484aff9d645",
              "status": "affected",
              "version": "241f51931c35085449502c10f64fb3ecd6e02171",
              "versionType": "git"
            },
            {
              "lessThan": "d40ae85ee62e3666f45bc61864b22121346f88ef",
              "status": "affected",
              "version": "241f51931c35085449502c10f64fb3ecd6e02171",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2539cbc625c560d5432e2f0fc04bfe4a889cf737",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "6.1.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: fix iso_conn related locking and validity issues\n\nsk-\u003esk_state indicates whether iso_pi(sk)-\u003econn is valid. Operations\nthat check/update sk_state and access conn should hold lock_sock,\notherwise they can race.\n\nThe order of taking locks is hci_dev_lock \u003e lock_sock \u003e iso_conn_lock,\nwhich is how it is in connect/disconnect_cfm -\u003e iso_conn_del -\u003e\niso_chan_del.\n\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\naround updating sk_state and conn.\n\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\niso_conn. Hold hdev-\u003elock longer to prevent that.\n\nThis should not reintroduce the issue fixed in commit 241f51931c35\n(\"Bluetooth: ISO: Avoid circular locking dependency\"), since the we\nacquire locks in order. We retain the fix in iso_sock_connect to release\nlock_sock before iso_connect_* acquires hdev-\u003elock.\n\nSimilarly for commit 6a5ad251b7cd (\"Bluetooth: ISO: Fix possible\ncircular locking dependency\"). We retain the fix in iso_conn_ready to\nnot acquire iso_conn_lock before lock_sock.\n\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\nreusing an old CIS connection waiting for disconnect timeout (see\n__iso_sock_close where conn-\u003ehcon is set to NULL).\n\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\n===============================================================\niso_sock_create:771: sock 00000000be9b69b7\niso_sock_init:693: sk 000000004dff667e\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_connect:875: sk 000000004dff667e\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\n__iso_chan_add:214: conn 00000000daf8625e\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\niso_sock_clear_timer:117: sock 000000004dff667e state 3\n    \u003cNote: sk_state is BT_BOUND (3), so iso_connect_cis is still\n    running at this point\u003e\niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\nhci_chan_list_flush:2780: hcon 000000007b65d182\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\n     \u003cNote: sk_state is BT_CONNECT (5), even though iso_chan_del sets\n     BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it\n     must be that iso_chan_del occurred between iso_chan_add and end of\n     iso_connect_cis.\u003e\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\n===============================================================\n\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\n===============================================================\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_event_packet:7607: hci0: e\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:40.357Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645"
        },
        {
          "url": "https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef"
        }
      ],
      "title": "Bluetooth: ISO: fix iso_conn related locking and validity issues",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54164",
    "datePublished": "2025-12-30T12:08:40.357Z",
    "dateReserved": "2025-12-30T12:06:44.495Z",
    "dateUpdated": "2025-12-30T12:08:40.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54164\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:04.167\",\"lastModified\":\"2025-12-30T13:16:04.167\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: ISO: fix iso_conn related locking and validity issues\\n\\nsk-\u003esk_state indicates whether iso_pi(sk)-\u003econn is valid. Operations\\nthat check/update sk_state and access conn should hold lock_sock,\\notherwise they can race.\\n\\nThe order of taking locks is hci_dev_lock \u003e lock_sock \u003e iso_conn_lock,\\nwhich is how it is in connect/disconnect_cfm -\u003e iso_conn_del -\u003e\\niso_chan_del.\\n\\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\\naround updating sk_state and conn.\\n\\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\\niso_conn. Hold hdev-\u003elock longer to prevent that.\\n\\nThis should not reintroduce the issue fixed in commit 241f51931c35\\n(\\\"Bluetooth: ISO: Avoid circular locking dependency\\\"), since the we\\nacquire locks in order. We retain the fix in iso_sock_connect to release\\nlock_sock before iso_connect_* acquires hdev-\u003elock.\\n\\nSimilarly for commit 6a5ad251b7cd (\\\"Bluetooth: ISO: Fix possible\\ncircular locking dependency\\\"). We retain the fix in iso_conn_ready to\\nnot acquire iso_conn_lock before lock_sock.\\n\\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\\nreusing an old CIS connection waiting for disconnect timeout (see\\n__iso_sock_close where conn-\u003ehcon is set to NULL).\\n\\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\\n===============================================================\\niso_sock_create:771: sock 00000000be9b69b7\\niso_sock_init:693: sk 000000004dff667e\\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\\niso_sock_setsockopt:1289: sk 000000004dff667e\\niso_sock_setsockopt:1289: sk 000000004dff667e\\niso_sock_setsockopt:1289: sk 000000004dff667e\\niso_sock_connect:875: sk 000000004dff667e\\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\\n__iso_chan_add:214: conn 00000000daf8625e\\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\\niso_sock_clear_timer:117: sock 000000004dff667e state 3\\n    \u003cNote: sk_state is BT_BOUND (3), so iso_connect_cis is still\\n    running at this point\u003e\\niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\\nhci_chan_list_flush:2780: hcon 000000007b65d182\\niso_sock_getsockopt:1376: sk 000000004dff667e\\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\\niso_sock_getsockopt:1376: sk 000000004dff667e\\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\\n     \u003cNote: sk_state is BT_CONNECT (5), even though iso_chan_del sets\\n     BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it\\n     must be that iso_chan_del occurred between iso_chan_add and end of\\n     iso_connect_cis.\u003e\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\\n===============================================================\\n\\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\\n===============================================================\\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\\n...\\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\\nhci_dev_put:1487: hci0 orig refcnt 21\\nhci_event_packet:7607: hci0: e\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.