Information disclosure vulnerability due to out-of-bounds heap read in service_search_attr_req function when processing of incoming requests in the SDP server was found. Unauthenticated attacker can exploit this vulnerability to read potentially sensitive data from heap of the bluetoothd process. Vulnerable code: ... } else { /* continuation State exists -> get from cache */ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); if (pCache) { uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); pResponse = pCache->data; memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); buf->data_size += sent; cstate->cStateValue.maxBytesSent += sent; if (cstate->cStateValue.maxBytesSent == pCache->data_size) cstate_size = sdp_set_cstate_pdu(buf, NULL); else cstate_size = sdp_set_cstate_pdu(buf, cstate); } else { status = SDP_INVALID_CSTATE; SDPDBG("Non-null continuation state, but null cache buffer"); } } ... When a long response is returned to a specific search attribute request, a continuation state is returned to allow reception of additional fragments, via additional requests that contain the last continuation state sent. However, the incoming “cstate” that requests additional fragments isn’t validated properly, and thus an out-of-bounds read of the response buffer (pResponse) can be achieved, leading to information disclosure of the heap.
Acknowledgments: Name: Armis Labs
Created attachment 1323098 [details] Proposed patch
*** Bug 1489720 has been marked as a duplicate of this bug. ***
External References: https://www.armis.com/blueborne/
Created bluez tracking bugs for this issue: Affects: fedora-all [bug 1490911]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:2685 https://access.redhat.com/errata/RHSA-2017:2685