Vigil@nce - Linux kernel: information disclosure via Bluetooth HIDP
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the Linux kernel is compiled with the Bluetooth HIDP support,
a local attacker can use the HIDPCONNADD ioctl in order to obtain
a memory fragment.
– Impacted products: Linux
– Severity: 1/4
– Creation date: 22/02/2013
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be compiled with the support of Bluetooth
(HCONFIG_BT) and HIDP (CONFIG_BT_HIDP) (Human Interface Device
Protocol).
The HIDPCONNADD ioctl adds a connection. The hidp_setup_hid()
function of the net/bluetooth/hidp/core.c file configures it.
However, if the requested device name contains more than 128
not-null characters, it copies data located after, until it finds
a null (’\0’) character.
When the Linux kernel is compiled with the Bluetooth HIDP support,
a local attacker can therefore use the HIDPCONNADD ioctl in order
to obtain a memory fragment.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-information-disclosure-via-Bluetooth-HIDP-12454