Bug 1663176 (CVE-2019-3459) - CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
Summary: CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CON...
Status: NEW
Alias: CVE-2019-3459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190111,repor...
Keywords: Security
Depends On: 1664555 1664556 1664557 1700507 1700508 1664558 1665925 1700506
Blocks: 1663182
TreeView+ depends on / blocked
 
Reported: 2019-01-03 11:24 UTC by Andrej Nemec
Modified: 2019-06-08 23:47 UTC (History)
53 users (show)

(edit)
A flaw was found in the Linux kernel's implementation of Logical Link Control and Adaptation Protocol (L2CAP), part of the Bluetooth stack. An attacker, within the range of standard Bluetooth transmissions, can create and send a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-01-03 11:24:43 UTC
A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the bluetooth stack.

An attacker with physical access within the range of standard bluetooth transmission can create a specially crafted packet.  The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.

Upstream patch:
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Oss-security post:
https://seclists.org/oss-sec/2019/q1/58

Mitigation:

- Disabling the bluetooth hardware in the bios.
- Prevent loading of the bluetooth kernel modules.
- Disable the bluetooth connection by putting the system in "airport" mode.

Comment 5 Andrej Nemec 2019-01-14 13:04:24 UTC
Public via:

https://seclists.org/oss-sec/2019/q1/58

Comment 6 Andrej Nemec 2019-01-14 13:05:43 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1665925]

Comment 8 gopal krishna tiwari 2019-04-17 06:27:48 UTC
Hi Wade/Andrej, 

Seems patch for this 
 
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Not yet made it to upstream ? Can you confirm ? 

Gopal..

Comment 9 Andrej Nemec 2019-04-25 14:50:03 UTC
(In reply to gopal krishna tiwari from comment #8)
> Hi Wade/Andrej, 
> 
> Seems patch for this 
>  
> https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> 
> Not yet made it to upstream ? Can you confirm ? 
> 
> Gopal..

Hi Gopal,

This seems to be the relevant upstream patch link:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Comment 10 gopal krishna tiwari 2019-04-26 04:16:03 UTC
(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Sure, Thanks. Will post this patch soon. 

Gopal

Comment 11 gopal krishna tiwari 2019-04-26 05:10:43 UTC
(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 

Gopal

Comment 12 Pedro Sampaio 2019-05-03 16:59:32 UTC
(In reply to gopal krishna tiwari from comment #11)
> (In reply to Andrej Nemec from comment #9)
> > (In reply to gopal krishna tiwari from comment #8)
> > > Hi Wade/Andrej, 
> > > 
> > > Seems patch for this 
> > >  
> > > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > > 
> > > Not yet made it to upstream ? Can you confirm ? 
> > > 
> > > Gopal..
> > 
> > Hi Gopal,
> > 
> > This seems to be the relevant upstream patch link:
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69
> 
> AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 
> 
> Gopal

Hello Gopal,

Yes, this patch addresses both vulnerable functions L2CAP_GET_CONF_OPT (CVE-2019-3459) and L2CAP_PARSE_CONF_RSP (CVE-2019-3460).


Note You need to log in before you can comment on or make changes to this bug.