www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Ben Seri <ben@armis.com>
	Fri, 8 Dec 2017 14:14:47 +0000 (15:14 +0100)
committer	Brian Maly <brian.maly@oracle.com>
	Mon, 21 May 2018 19:17:44 +0000 (15:17 -0400)
commit	2924f138a36056979a102575a44c5093e3f6b208
tree	f94a9f10a6f45b90de6aca200490f4506350cf76	tree
parent	6adae5f12510b859a3ac88333515bacb5bbd8408	commit \| diff

Bluetooth: Prevent stack info leak from the EFS element.

Orabug: 28030514
CVE: CVE-2017-1000410

In the function l2cap_parse_conf_rsp and in the function
l2cap_parse_conf_req the following variable is declared without
initialization:

struct l2cap_conf_efs efs;

In addition, when parsing input configuration parameters in both of
these functions, the switch case for handling EFS elements may skip the
memcpy call that will write to the efs variable:

...
case L2CAP_CONF_EFS:
if (olen == sizeof(efs))
memcpy(&efs, (void *)val, olen);
...

The olen in the above if is attacker controlled, and regardless of that
if, in both of these functions the efs variable would eventually be
added to the outgoing configuration request that is being built:

l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);

So by sending a configuration request, or response, that contains an
L2CAP_CONF_EFS element, but with an element length that is not
sizeof(efs) - the memcpy to the uninitialized efs variable can be
avoided, and the uninitialized variable would be returned to the
attacker (16 bytes).

This issue has been assigned CVE-2017-1000410

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 06e7e776ca4d36547e503279aeff996cbb292c16)
Signed-off-by: Brian Maly <brian.maly@oracle.com>