Vigil@nce: Linux kernel, memory reading via bluetooth sco
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can query a Bluetooth socket, in order to read
one byte coming from the kernel memory.
– Severity: 1/4
– Creation date: 01/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The net/bluetooth/sco.c file implements the support of Bluetooth
SCO (Synchronous Connection Oriented) used for voice.
The getsockopt() function returns to the user information about a
socket. The sco_sock_getsockopt_old() function generates these
information for Bluetooth SCO sockets.
However, sco_sock_getsockopt_old() does not initialize one byte of
the sco_conninfo structure.
A local attacker can therefore query a Bluetooth socket, in order
to read one byte coming from the kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-bluetooth-sco-10408