CVE CyberSecurity Database News

CVE-2024-35933 - Easy Guide to the Linux Kernel Bluetooth Null Pointer Dereference Vulnerability

Poster -

If you use Linux and Bluetooth, there’s a new security vulnerability you need to know about: CVE-2024-35933. This long-read post breaks down what the bug is, what causes it, how attackers might exploit it, how it got patched, and what you should do. Let’s dig in.

Severity: Medium (can cause denial of service)

- Fixed in: Linux kernel commit 6ca943d66c41
- References: Debian Security Tracker, kernel patch discussion

What Is CVE-2024-35933?

This is a bug in how the Linux kernel’s Intel Bluetooth driver handles certain Bluetooth commands. If bad data triggers an error in the kernel, it can cause the driver to access memory that hasn’t been set up—this is called a null pointer dereference.

If the driver does this, your system can crash, giving an attacker a way to trigger a denial of service (DoS).

Let’s get technical, but keep it simple.

The dangerous code lives in the file drivers/bluetooth/btintel.c. When Linux tries to read version info from an Intel Bluetooth chip, it calls a function named btintel_read_version().

Internally, this function waits for a response from the Bluetooth device. It does this using a sync command.

Here’s a simplified version of the problematic code

// This runs inside btintel_read_version():
skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, , NULL, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
    return PTR_ERR(skb);
}
version = skb_pull(skb, sizeof(*version));

Here, skb should point to the received response. But under some error conditions, skb can be NULL. The code is supposed to check for this, but fails to do so.

If you try to use skb when it's NULL, the kernel crashes. No warning, no recovery—just a crash.

The underlying issue is with how the function hci_cmd_sync_complete() can leave behind a NULL pointer in the Bluetooth device’s request buffer (hdev->req_skb), especially when there's no response or there's an error.

How Can It Be Exploited?

This is NOT a remote code execution bug, but it can be triggered by anyone or anything that can make Linux try to use Bluetooth when an error might happen—like plugging or unplugging certain Bluetooth dongles, buggy firmware, or even a malicious Bluetooth device.

A crafted device or sequence of unexpected Bluetooth HCI events could cause the response to be missing, which results in a null pointer being dereferenced and the system crashing.

Exploit Demonstration

Below is a simple example of how someone might attempt to trigger the bug, if the kernel isn’t patched:

import os

def crash_bt_stack():
    # This script simply disables and re-enables Bluetooth rapidly
    # to increase the chance of hitting race conditions in driver error handling.
    # It could be more sophisticated with a custom dongle or firmware.
    os.system('rfkill block bluetooth')
    os.system('rfkill unblock bluetooth')

for i in range(100):
    crash_bt_stack()

Advanced scenarios could involve a USB fuzzing tool that emulates a flaky Bluetooth device, causing the Intel driver to get stuck.

The Patch (How It Was Fixed)

Thankfully, the Linux maintainers fixed this issue. Now, the function checks that the response (skb) is actually there—if it's not, it won’t try to access the invalid memory.

Key part of the patch

if (!skb)
    return -ENODATA;

This change ensures that, if the return value is NULL, the function exits gracefully rather than causing a kernel panic.

Full patch and discussion:
* View patch on kernel.org
* Mailing list discussion

Is Your System Affected?

- If you use Intel Bluetooth adapters and have a Linux kernel before June 2024, you are probably affected.

What Can You Do?

1. Check your kernel version.
uname -r

2. Update your Linux kernel.
If your distro hasn’t patched yet, check back soon or report the bug for urgency!

3. As a workaround:

If you are worried, you can temporarily disable Bluetooth on sensitive systems

sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

Summary Table

| Item | Details |
|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Vulnerability | CVE-2024-35933 |
| Affects | Intel Bluetooth chipsets, Linux kernel before 6ca943d66c41 |
| Impact | Kernel crash (denial of service) |
| Exploitability | Local or sometimes remote (if attacker tricks system into using a bad HCI device) |
| Fixed in | Linux kernel, June 2024 |
| Fix | Check for NULL before dereferencing pointers; handle error correctly |
| References | Debian Tracker, Patch |

References

1. Debian CVE Tracker - CVE-2024-35933
2. Kernel patch commit
3. Linux Bluetooth Mailing List Discussion

Timeline

Published on: 05/19/2024 11:15:49 UTC
Last modified on: 12/30/2024 19:51:27 UTC