Vigil@nce: Linux kernel, memory corruption via Bluetooth
March 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can create several Bluetooth sockets, in order to
generate a denial of service, or possibly to execute code.
– Severity: 2/4
– Creation date: 23/03/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements various protocols used by Bluetooth:
– L2CAP (Logical Link Control and Adaptation Protocol) :
adaptation of application data (segmentation)
– RFCOMM : serial port compatible RS-232
– SCO (Synchronous Connection Oriented) : voice
Information on opened sockets are readable via sysfs (/sys), due
to the following functions:
– l2cap_sysfs_show()
– rfcomm_dlc_sysfs_show()
– rfcomm_sock_sysfs_show()
– sco_sysfs_show()
These functions write information in a memory page of size
PAGE_SIZE. Each socket requires a few bytes of memory. However,
these functions do not check if the maximal size was reached (this
situation occurs when there are too many open sockets). The kernel
then writes after the end of the page.
A local attacker can therefore create several Bluetooth sockets,
in order to generate a denial of service, or possibly to execute
code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-Bluetooth-9529