Bug 1489446 - (CVE-2017-1000250) CVE-2017-1000250 bluez: Out-of-bounds heap read in service_search_attr_req function
CVE-2017-1000250 bluez: Out-of-bounds heap read in service_search_attr_req fu...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
: 1489720 (view as bug list)
Depends On: 1490009 1490011 1490008 1490010 1490911
Blocks: 1489450 1489722 1490075
  Show dependency treegraph
Reported: 2017-09-07 09:18 EDT by Adam Mariš
Modified: 2017-09-13 00:38 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.
Story Points: ---
Clone Of:
Last Closed: 2017-09-13 00:38:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (2.11 KB, patch)
2017-09-07 09:24 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2017-09-07 09:18:08 EDT
Information disclosure vulnerability due to out-of-bounds heap read in service_search_attr_req function when processing of incoming requests in the SDP server was found. Unauthenticated attacker can exploit this vulnerability to read potentially sensitive data from heap of the bluetoothd process.

Vulnerable code:

        } else {
                /* continuation State exists -> get from cache */
                sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
                if (pCache) {
                        uint16_t sent = MIN(max, pCache->data_size -
                        pResponse = pCache->data;
                             pResponse + cstate->cStateValue.maxBytesSent,
                        buf->data_size += sent;
                        cstate->cStateValue.maxBytesSent += sent;
                        if (cstate->cStateValue.maxBytesSent == pCache->data_size)
                                cstate_size = sdp_set_cstate_pdu(buf, NULL);
                                cstate_size = sdp_set_cstate_pdu(buf, cstate);
                } else {
                        status = SDP_INVALID_CSTATE;
                        SDPDBG("Non-null continuation state, but null cache buffer");

When a long response is returned to a specific search attribute request, a continuation state is returned to allow reception of additional fragments, via additional requests that contain the last continuation state sent. However, the incoming “cstate” that requests additional fragments isn’t validated properly, and thus an out-of-bounds read of the response buffer (pResponse) can be achieved, leading to information disclosure of the heap.
Comment 1 Adam Mariš 2017-09-07 09:18:11 EDT

Name: Armis Labs
Comment 2 Adam Mariš 2017-09-07 09:24 EDT
Created attachment 1323098 [details]
Proposed patch
Comment 3 Andrej Nemec 2017-09-08 04:27:09 EDT
*** Bug 1489720 has been marked as a duplicate of this bug. ***
Comment 6 Adam Mariš 2017-09-12 09:18:08 EDT
External References:

Comment 7 Adam Mariš 2017-09-12 09:18:38 EDT
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1490911]
Comment 8 errata-xmlrpc 2017-09-12 15:56:04 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:2685 https://access.redhat.com/errata/RHSA-2017:2685

Note You need to log in before you can comment on or make changes to this bug.