Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.
Product status
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 (git) before fea895de78d3bb2f0c09db9f10b18f8121b15759
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 (git) before 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 (git) before cf2c2acec1cf456c3d11c11a7589e886a0f963a9
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 (git) before 1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 (git) before 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5
6.1
Any version before 6.1
6.1.159 (semver)
6.6.117 (semver)
6.12.58 (semver)
6.17.8 (semver)
6.18 (original_commit_for_fix)
References
git.kernel.org/...c/fea895de78d3bb2f0c09db9f10b18f8121b15759
git.kernel.org/...c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8
git.kernel.org/...c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9
git.kernel.org/...c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50
git.kernel.org/...c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5
