Allele Security Alert
Heap address information leak while using L2CAP_GET_CONF_OPT
The Linux foundation
Linux kernel since 2.6.12-rc2
Proof of concept
A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the bluetooth stack.
An attacker with physical access within the range of standard bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
In the function l2cap_get_conf_opt() in l2cap_core.c, which is used to parse configuration elements during an L2cap connection negotiation process there is a dual use for the output parameter ‘val’. If the length of the data is 1, 2 or 4, then the returned value is a value copied from an input buffer (received over BT) and returned by value. If the length is different, the value is returned as a pointer to the buffer by reference. The buffer is from a kernel SKB. Since the length is taken from the same buffer and the buffer is received via BT, the attacker controls whether the val is returned as a pointer or as a value. The val is later used as a value or as a pointer depending on a different field called ‘type’, which is attacker controlled and taken from the same buffer. The ‘val’ output parameter is assumed to match the ‘type’ and is either used by reference or by value accordingly. This assumption is where the bug is. An attacker can send a response where the type is MTU (which uses 2 bytes from ‘val’ by-value), and the length is 3, and so the returned MTU will actually be comprised of the 2 lower bytes of the pointer to the buffer, which will be leaked to the attacker. It is a form of type confusion without having a sophisticated type system.
Shlomi Oberman, Yuli Shapiro and Karamba Security Ltd. research team
Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460)
[PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 15, 2019