Bug 1489446 (CVE-2017-1000250) - CVE-2017-1000250 bluez: Out-of-bounds heap read in service_search_attr_req function
Summary: CVE-2017-1000250 bluez: Out-of-bounds heap read in service_search_attr_req fu...
Alias: CVE-2017-1000250
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1489720 (view as bug list)
Depends On: 1490008 1490009 1490010 1490011 1490911
Blocks: 1489450 1489722 1490075
TreeView+ depends on / blocked
Reported: 2017-09-07 13:18 UTC by Adam Mariš
Modified: 2021-02-17 01:36 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.
Clone Of:
Last Closed: 2017-09-13 04:38:33 UTC

Attachments (Terms of Use)
Proposed patch (2.11 KB, patch)
2017-09-07 13:24 UTC, Adam Mariš
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2685 0 normal SHIPPED_LIVE Moderate: bluez security update 2017-09-12 23:55:31 UTC

Description Adam Mariš 2017-09-07 13:18:08 UTC
Information disclosure vulnerability due to out-of-bounds heap read in service_search_attr_req function when processing of incoming requests in the SDP server was found. Unauthenticated attacker can exploit this vulnerability to read potentially sensitive data from heap of the bluetoothd process.

Vulnerable code:

        } else {
                /* continuation State exists -> get from cache */
                sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
                if (pCache) {
                        uint16_t sent = MIN(max, pCache->data_size -
                        pResponse = pCache->data;
                             pResponse + cstate->cStateValue.maxBytesSent,
                        buf->data_size += sent;
                        cstate->cStateValue.maxBytesSent += sent;
                        if (cstate->cStateValue.maxBytesSent == pCache->data_size)
                                cstate_size = sdp_set_cstate_pdu(buf, NULL);
                                cstate_size = sdp_set_cstate_pdu(buf, cstate);
                } else {
                        status = SDP_INVALID_CSTATE;
                        SDPDBG("Non-null continuation state, but null cache buffer");

When a long response is returned to a specific search attribute request, a continuation state is returned to allow reception of additional fragments, via additional requests that contain the last continuation state sent. However, the incoming “cstate” that requests additional fragments isn’t validated properly, and thus an out-of-bounds read of the response buffer (pResponse) can be achieved, leading to information disclosure of the heap.

Comment 1 Adam Mariš 2017-09-07 13:18:11 UTC

Name: Armis Labs

Comment 2 Adam Mariš 2017-09-07 13:24:34 UTC
Created attachment 1323098 [details]
Proposed patch

Comment 3 Andrej Nemec 2017-09-08 08:27:09 UTC
*** Bug 1489720 has been marked as a duplicate of this bug. ***

Comment 6 Adam Mariš 2017-09-12 13:18:08 UTC
External References:


Comment 7 Adam Mariš 2017-09-12 13:18:38 UTC
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1490911]

Comment 8 errata-xmlrpc 2017-09-12 19:56:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:2685 https://access.redhat.com/errata/RHSA-2017:2685

Note You need to log in before you can comment on or make changes to this bug.