Skip to content

BT: Classic: SDP OOB access in get_att_search_list

High
ceolin published GHSA-pm38-7g85-cf4f Sep 13, 2024

Package

zephyr (zephyr)

Affected versions

<=3.6

Patched versions

None

Description

Summary

An out-of-bounds write in get_att_search_list in subsys/bluetooth/host/sdp.c can lead to a stack overflow.

Details

There is no limit on the number of data_elem to be parsed, leading to an out-of-bounds write in subsequent accesses of filter.

	...
	while (size) {
		res = parse_data_elem(buf, &data_elem);
		if (res) {
			return res;
		}

		if ((data_elem.type & BT_SDP_TYPE_DESC_MASK) != BT_SDP_UINT8) {
			LOG_WRN("Invalid type %u in attribute ID list", data_elem.type);
			return BT_SDP_INVALID_SYNTAX;
		}

		if (buf->len < data_elem.data_size) {
			LOG_WRN("Malformed packet");
			return BT_SDP_INVALID_SYNTAX;
		}

		/* This is an attribute ID */
		if (data_elem.data_size == 2U) {

			/* Out-of-bounds write */
			filter[(*num_filters)++] = 0xffff0000 |
							net_buf_pull_be16(buf);
		}
	...

The get_att_search_list is called by either sdp_svc_att_req or sdp_svc_search_att_req. Both calls provide a filter with a maximum size of MAX_NUM_ATT_ID_FILTER.

...
static uint16_t sdp_svc_search_att_req(struct bt_sdp *sdp, struct net_buf *buf,
				    uint16_t tid)
{
	uint32_t filter[MAX_NUM_ATT_ID_FILTER];
	...

	res = get_att_search_list(buf, filter, &num_filters);

Thus, if the parsed data_elem exceeds MAX_NUM_ATT_ID_FILTER, it can leads to a stack overflow.

PoC

Since MAX_NUM_ATT_ID_FILTER is defined as 10, the number of data_elem should exceed 10 to cause a stack overflow.

To increment num_filter, the data_size of data_elem should be either 2 or 4. An example of a data_elem could be 08 ff ff.

Impact

Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.

Patches

main: #75575

For more information

If you have any questions or comments about this advisory:

embargo: 2024-09-11

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2024-6137

Weaknesses

Credits