APPLIED/cmnt: [Trusty] [PATCH 1/2] Bluetooth: Prevent stack info leak from the EFS element.
Kleber Souza
kleber.souza at canonical.com
Tue Mar 12 11:37:22 UTC 2019
On 2/19/19 1:27 PM, Kai-Heng Feng wrote:
> From: Ben Seri <ben at armis.com>
>
> In the function l2cap_parse_conf_rsp and in the function
> l2cap_parse_conf_req the following variable is declared without
> initialization:
>
> struct l2cap_conf_efs efs;
>
> In addition, when parsing input configuration parameters in both of
> these functions, the switch case for handling EFS elements may skip the
> memcpy call that will write to the efs variable:
>
> ...
> case L2CAP_CONF_EFS:
> if (olen == sizeof(efs))
> memcpy(&efs, (void *)val, olen);
> ...
>
> The olen in the above if is attacker controlled, and regardless of that
> if, in both of these functions the efs variable would eventually be
> added to the outgoing configuration request that is being built:
>
> l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);
>
> So by sending a configuration request, or response, that contains an
> L2CAP_CONF_EFS element, but with an element length that is not
> sizeof(efs) - the memcpy to the uninitialized efs variable can be
> avoided, and the uninitialized variable would be returned to the
> attacker (16 bytes).
>
> This issue has been assigned CVE-2017-1000410
>
> CVE-2019-3460
Applied to trusty/master-next branch, changing the above line to:
CVE-2017-1000410
Thanks,
Kleber
>
> Cc: Marcel Holtmann <marcel at holtmann.org>
> Cc: Gustavo Padovan <gustavo at padovan.org>
> Cc: Johan Hedberg <johan.hedberg at gmail.com>
> Cc: stable <stable at vger.kernel.org>
> Signed-off-by: Ben Seri <ben at armis.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit 06e7e776ca4d36547e503279aeff996cbb292c16)
> Signed-off-by: Kai-Heng Feng <kai.heng.feng at canonical.com>
> ---
> net/bluetooth/l2cap_core.c | 20 +++++++++++---------
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 5eb3b2b55f2e..61d0f290c0c6 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -3305,9 +3305,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
> break;
>
> case L2CAP_CONF_EFS:
> - remote_efs = 1;
> - if (olen == sizeof(efs))
> + if (olen == sizeof(efs)) {
> + remote_efs = 1;
> memcpy(&efs, (void *) val, olen);
> + }
> break;
>
> case L2CAP_CONF_EWS:
> @@ -3526,16 +3527,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
> break;
>
> case L2CAP_CONF_EFS:
> - if (olen == sizeof(efs))
> + if (olen == sizeof(efs)) {
> memcpy(&efs, (void *)val, olen);
>
> - if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
> - efs.stype != L2CAP_SERV_NOTRAFIC &&
> - efs.stype != chan->local_stype)
> - return -ECONNREFUSED;
> + if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
> + efs.stype != L2CAP_SERV_NOTRAFIC &&
> + efs.stype != chan->local_stype)
> + return -ECONNREFUSED;
>
> - l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
> - (unsigned long) &efs, endptr - ptr);
> + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
> + (unsigned long) &efs, endptr - ptr);
> + }
> break;
>
> case L2CAP_CONF_FCS:
More information about the kernel-team
mailing list