[Bug 1102700] [NEW] bluetoothd crash when parsing invalid HIDP SDP record
Anderson Lizardo
anderson.lizardo at gmail.com
Tue Jan 22 00:03:18 UTC 2013
Public bug reported:
If a remote Bluetooth device contains HIDP SDP records in a specific
invalid format, it is possible to crash BlueZ with SIGSEGV due to
invalid memory reads, either by buffer overflow due to improper
strncpy() usage or usage of arbitrary input as pointer.
The several patches that address this problem are already upstream and
are present on the 5.1 release. These are the commits (some are cosmetic
but required to avoid conflicts of next patches):
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=21acf2283cacf0c029f2cea82380f4744a1dbcb5
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=df29632772171d5fd0e71c518fc3753adb11d0c0
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=fce691bd0bd08710ffd379025e894bcffaa5acb6
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=90228fc151bac5f19b2d21c18d51ef90f3b0d1b5
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0f8aca093099d4fc693adc6270b9b0bd02287017
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=ce376961fb3a667ef35360c222bc3928d4657f4b
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=b41a46ef4c2bd9dc30998c6726ab6232a299c8e8
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0305cfa11a06dea356f699a46da96f7146210466
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=5ba183dc82b4e8a1b3caa58648d6ac02b9325cb6
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=a35f83e113c1c58dd1c6cf8bda2b1bf99d07a695
A patch backported from the above commits to the current BlueZ version
on 12.04.1 LTS is attached. It was tested only on precise, but should
apply just fine on more recent releases. Let me know you need specific
versions of this patch.
I will also attach a script that reproduces the crash using an emulated
BT dongle. Usage instructions are at https://github.com/lizardo/bluez-
tests/blob/master/README.rst
NOTE: I tried to send a report which includes the crash information
using apport-bug, but it did not seem to create a bug report here after
2 days.
** Affects: bluez (Ubuntu)
Importance: Undecided
Status: New
** Tags: patch-accepted-upstream testcase
** Attachment added: "Patch backported from upstream commits"
https://bugs.launchpad.net/bugs/1102700/+attachment/3493324/+files/12-fix-hid-crash.patch
--
You received this bug notification because you are a member of
Bluetooth, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1102700
Title:
bluetoothd crash when parsing invalid HIDP SDP record
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1102700/+subscriptions
More information about the Ubuntu-bluetooth
mailing list