Skip to content

BT:Classic: Multiple missing buf length checks

High
ceolin published GHSA-2mp4-4g6f-cqcx Sep 13, 2024

Package

zephyr (zephyr)

Affected versions

<=3.6

Patched versions

None

Description

Summary

No proper validation of the length of user input in BT Classic handlers.

l2cap_br_info_rsp in subsys/bluetooth/host/l2cap_br.c
sdp_client_receive in subsys/bluetooth/host/sdp.c.

Details

Similar bugs like previously reported.

There is no input length validation in l2cap_br_info_rsp and sdp_client_receive.

In l2cap_br_info_rsp, either net_buf_pull_le32(buf) or net_buf_pull_u8(buf) is called without performing length check.

// l2cap_br_info_rsp

    ...
	rsp = net_buf_pull_mem(buf, sizeof(*rsp));
	result = sys_le16_to_cpu(rsp->result);
	if (result != BT_L2CAP_INFO_SUCCESS) {
		LOG_WRN("Result unsuccessful");
		err = -EINVAL;
		goto done;
	}

	type = sys_le16_to_cpu(rsp->type);

	switch (type) {
	case BT_L2CAP_INFO_FEAT_MASK:
		l2cap->info_feat_mask = net_buf_pull_le32(buf);
		LOG_DBG("remote info mask 0x%08x", l2cap->info_feat_mask);

		if (!(l2cap->info_feat_mask & L2CAP_FEAT_FIXED_CHAN_MASK)) {
			break;
		}
    ...

In sdp_client_receive, net_buf_pull_be16(buf) is called without length check.

// sdp_client_receive

    ...
	len = sys_be16_to_cpu(hdr->param_len);
	tid = sys_be16_to_cpu(hdr->tid);

	LOG_DBG("SDP PDU tid %u len %u", tid, len);

	if (buf->len != len) {
		LOG_ERR("SDP PDU length mismatch (%u != %u)", buf->len, len);
		return 0;
	}

	if (tid != session->tid) {
		LOG_ERR("Mismatch transaction ID value in SDP PDU");
		return 0;
	}

	switch (hdr->op_code) {
	case BT_SDP_SVC_SEARCH_ATTR_RSP:
		/* Get number of attributes in this frame. */
		frame_len = net_buf_pull_be16(buf);
    ...

Both calls can lead to a heap buffer overflow.

PoC

  • l2cap_br_info_rsp

Set the size of buf to a value between 4 (which is the sizeof(struct bt_l2cap_info_rsp)) and 8.

Set the type field of rsp as BT_L2CAP_INFO_FEAT_MASK which is 0x0002.

  • sdp_client_receive

Set op_code field of bt_sdp_hdr as BT_SDP_SVC_SEARCH_ATTR_RSP which is 0x07

Set param_len field in bt_sdp_hdr as 0 or 1 to bypass previous length check of remaining buffer

Impact

Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.

Patches

main: #74283
v3.6: #77966

For more information

If you have any questions or comments about this advisory:

embargo: 2024-09-11

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2024-6135

Weaknesses

Credits