A missing nullptr-check in handle_ra_input can cause a nullptr-deref.

**Summary**

A missing nullptr-check in handle_ra_input can cause a nullptr-deref.

**Description**

The reachable_time update in handle_ra_input is missing a nullptr-check for net_pkt_iface(pkt)->config.ip.ipv6 before calling net_if_ipv6_set_reachable_time:

if (reachable\_time && reachable\_time <= MAX\_REACHABLE\_TIME && (net\_if\_ipv6\_get\_reachable\_time(net\_pkt\_iface(pkt)) != reachable\_time)) {
    net\_if\_ipv6\_set\_base\_reachable\_time(net\_pkt\_iface(pkt), reachable\_time);
    net\_if\_ipv6\_set\_reachable\_time(net\_pkt\_iface(pkt)\->config.ip.ipv6);
}

if (reachable\_time && reachable\_time <= MAX\_REACHABLE\_TIME &&

(net\_if\_ipv6\_get\_reachable\_time(net\_pkt\_iface(pkt)) !=

reachable\_time)) {

net\_if\_ipv6\_set\_base\_reachable\_time(net\_pkt\_iface(pkt),

reachable\_time);

net\_if\_ipv6\_set\_reachable\_time(

net\_pkt\_iface(pkt)\->config.ip.ipv6);

}

The ipv6 interface pointer is passed into net_if_ipv6_calc_reachable_time in net_if_ipv6_set_reachable_time:

ipv6\->reachable\_time \= net\_if\_ipv6\_calc\_reachable\_time(ipv6);

/\*\*

\* @brief Set IPv6 reachable time for a given interface. This requires

\* that base reachable time is set for the interface.

\*

\* @param ipv6 IPv6 address configuration

\*/

static inline void net\_if\_ipv6\_set\_reachable\_time(struct net\_if\_ipv6 \*ipv6)

{

#if defined(CONFIG\_NET\_NATIVE\_IPV6)

ipv6\->reachable\_time \= net\_if\_ipv6\_calc\_reachable\_time(ipv6);

#endif

}

The ipv6 interface pointer is then used without an additional check in net_if_ipv6_calc_reachable_time:

min\_reachable \= (MIN\_RANDOM\_NUMER \* ipv6\->base\_reachable\_time) / MIN\_RANDOM\_DENOM;
max\_reachable \= (MAX\_RANDOM\_NUMER \* ipv6\->base\_reachable\_time) / MAX\_RANDOM\_DENOM;

uint32\_t net\_if\_ipv6\_calc\_reachable\_time(struct net\_if\_ipv6 \*ipv6)

{

uint32\_t min\_reachable, max\_reachable;

k\_mutex\_lock(&lock, K\_FOREVER);

min\_reachable \= (MIN\_RANDOM\_NUMER \* ipv6\->base\_reachable\_time)

/ MIN\_RANDOM\_DENOM;

max\_reachable \= (MAX\_RANDOM\_NUMER \* ipv6\->base\_reachable\_time)

/ MAX\_RANDOM\_DENOM;

k\_mutex\_unlock(&lock);

NET\_DBG("min\_reachable:%u max\_reachable:%u", min\_reachable,

max\_reachable);

return min\_reachable +

sys\_rand32\_get() % (max\_reachable \- min\_reachable);

}

However the other usages in handle_ra_input do check for a nullptr:

*   net_if_ipv6_get_reachable_time:
    
    if (!iface\->config.ip.ipv6) { return 0; }
    
    /\*\*
    
    \* @brief Get IPv6 reachable timeout specified for a given interface
    
    \*
    
    \* @param iface Network interface
    
    \*
    
    \* @return Reachable timeout
    
    \*/
    
    static inline uint32\_t net\_if\_ipv6\_get\_reachable\_time(struct net\_if \*iface)
    
    {
    
    #if defined(CONFIG\_NET\_NATIVE\_IPV6)
    
    if (!iface\->config.ip.ipv6) {
    
    return 0;
    
    }
    
    return iface\->config.ip.ipv6\->reachable\_time;
    
    #else
    
    return 0;
    
    #endif
    
    }
    
*   net_if_ipv6_set_base_reachable_time
    
    if (!iface\->config.ip.ipv6) { return; }
    
    /\*\*
    
    \* @brief Set IPv6 reachable time for a given interface
    
    \*
    
    \* @param iface Network interface
    
    \* @param reachable\_time New reachable time
    
    \*/
    
    static inline void net\_if\_ipv6\_set\_base\_reachable\_time(struct net\_if \*iface,
    
    uint32\_t reachable\_time)
    
    {
    
    #if defined(CONFIG\_NET\_NATIVE\_IPV6)
    
    if (!iface\->config.ip.ipv6) {
    
    return;
    
    }
    
    iface\->config.ip.ipv6\->base\_reachable\_time \= reachable\_time;
    
    #endif
    
    }
    

**Impact**

*   Potentially cause a Denial of Service.
    *   Note: We are able to cause a DoS in Zephyr 2.2.0 with fuzzing, but did not try to reproduce in current versions.

**Proposed Fix**

*   Add a nullptr check in net_if_ipv6_set_reachable_time or add a wrapper function with a check similar to net_if_ipv6_get_reachable_time or net_if_ipv6_set_base_reachable_time.

CVE-2023-0359: Missing `ipv6` nullptr-check in `handle_ra_input

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to an information disclosure due to improper privilege management when certain federation features are used.  IBM X-Force ID:  252046.

  

**Summary**

IBM® Db2® is vulnerable to an information disclosure due to improper privilege management when certain federation features are used.

**Vulnerability Details**

**CVEID:**   CVE-2023-29256  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to an information disclosure due to improper privilege management when certain federation features are used.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252046 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

10.5.0.11

Server

IBM® Db2®

11.1.4.7

Server

IBM® Db2®

11.5.x

Server

All platforms are affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, V11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, V11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT208397

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT208397

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT208397

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

  

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

07 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"},{"code":"PF002","label":"AIX"}\],"Version":"11.5,11.1,10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-29256: IBM® Db2® is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256)

The All In One Redirection WordPress plugin before 2.2.0 does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-2493

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 federated server is vulnerable to a denial of service as the server may crash when using a specially crafted wrapper using certain options.  IBM X-Force ID:  253202.

  

**Summary**

IBM® Db2® federated server is vulnerable to a denial of service as the server may crash when using a specially crafted wrapper using certain options.

**Vulnerability Details**

**CVEID:**   CVE-2023-30442  
**DESCRIPTION:**   IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) federated server is vulnerable to a denial of service as the server may crash when using a specially crafted wrapper using certain options.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253202 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

11.1.4.7

Server

IBM® Db2®

11.5.x

Server

All platforms are affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program, V11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.1

TBD

DT187940

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT187940

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

  

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

07 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF010","label":"HP-UX"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5,11.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-30442: IBM® Db2® federated server is vulnerable to a denial of service when using a specially crafted wrapper using certain options. (CVE-2023-30442)

The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-1780

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 db2set is vulnerable to a buffer overflow, caused by improper bounds checking.  An attacker could overflow the buffer and execute arbitrary code.  IBM X-Force ID:  252184.

  

**Summary**

IBM® Db2® db2set is vulnerable to arbitrary code execution.

**Vulnerability Details**

**CVEID:**   CVE-2023-30431  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) db2set is vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow the buffer and execute arbitrary code.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252184 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

10.5.0.11

Server

IBM® Db2®

11.1.4.7

Server

IBM® Db2®

11.5.x

Server

All platforms are affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT198274

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT198274

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT198274

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

07 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"},{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}\],"Version":"11.5,11.1,10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-30431: IBM® Db2® db2set is vulnerable to arbitrary code execution. (CVE-2023-30431)

Cross-Site Request Forgery (CSRF) vulnerability in MageNet Website Monetization by MageNet plugin <= 1.0.29.1 versions.

**Solution**

 No fix

No patched version available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Website Monetization by MageNet Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-22673: WordPress Website Monetization by MageNet plugin <= 1.0.29.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to insufficient audit logging.  IBM X-Force ID:  245918.

CVE-2023-23487: IBM Db2 audit logging CVE-2023-23487 Vulnerability Report

Local users are able to execute scripts under root privileges.

CVE-2021-42082: Redirecting…

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.




**Summary**

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Description**

To send an HCI command synchronously, the HCI stack involves different functions for its synchronization:

1.  bt_hci_cmd_send_sync creates a local semaphore variable (which gets allocated on the stack of bt_hci_cmd_send_sync) and stores a reference to this local semaphore variable in the global cmd_data array via cmd(buf)->sync: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L325
2.  hci_cmd_done, which is called while handling sending completion (via the reception of matching completion or status priority HCI events, or in certain error cases), checks whether the reference to this synchronization semaphore is set, and optionally giving/releasing the semaphore: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2102
3.  To support asynchronous sending, bt_hci_cmd_create initializes cmd(buf)->sync to NULL while a command buffer is initially created.

The issue of this way of handling synchronous sending of HCI commands lies in the fact that while handling the completion, the reference to the synchronization semaphore is not cleared (hci_cmd_done uses cmd(buf)->sync, but never clears the reference).

This implementation works correctly as long as the HCI Controller layer always sends completion/status priority events only once for each synchronously-sent command, or delays sending it enough such that the corresponding command buffer is correctly re-initialized and the semaphore reference is valid again.

The implementation causes a stale reference to the application stack memory to be used as a semaphore, however, if the Controller layer sends a second completion event for the same command before it is re-initialized for sending a new HCI command. In this situation, the pointer stored in cmd(buf)->sync has first been used as expected, and indicated to bt_hci_cmd_send_sync that the transmission is completed. As a result, bt_hci_cmd_send_sync returns and releases its local variables in the process. Another function re-claims the stack space for its own local variables, and overwrites the contents in the location which cmd(buf)->sync still references. When the second completion event is sent by the malicious/malfunctioning Controller layer, the reference stored in cmd(buf)->sync still references the invalidated stack memory, such that this reference is used via k_sem_give(cmd(buf)->sync); (https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2104). In this situation, arbitrary data may reside in the affected memory location (which may or may not be attacker-controllable), and may be wrongly used as a pointer to a k_sem structure in a call to k_sem_give.

**Impact**

A malicious / malfunctioning HCI Controller may cause a dangling reference to be used as a semaphore object in the host layer, resulting in a crash (DoS) or potential Remote Code Execution (RCE) on the Bluetooth host layer.

**Proposed Fix**

To avoid this issue, when receiving HCI responses to synchronously sent HCI commands (cmd(buf)->sync is not NULL), the HCI logic should ensure that the semaphore reference in cmd(buf)->sync is (atomically) cleared and will not be re-used while handling another HCI response.

For example, hci_cmd_done could (atomically) read cmd(buf)->sync and NULL the reference after retrieving it.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-07-04

Source

CVE