Vigil@nce - Linux kernel: denial of service via Bluetooth HCI
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can open a Bluetooth device, in order to stop the
system.
Severity: 1/4
Creation date: 22/11/2010
DESCRIPTION OF THE VULNERABILITY
The HCI (Host/Controller Interface) interface is standardized
between the Bluetooth hardware and the Linux kernel.
The hci_uart_tty_open() function of the drivers/bluetooth/hci_ldisc.c
file opens the HCI device. The hci_uart() function then uses this
device, but does not check if it is open for writing
(tty->ops->write must be different from NULL). A NULL pointer is
then dereferenced.
A local attacker can therefore open a Bluetooth device, in order
to stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-Bluetooth-HCI-10142