Bug 2185519 (CVE-2023-28866) - CVE-2023-28866 kernel: Bluetooth: HCI: global out-of-bounds access in net/bluetooth/hci_sync.c
Summary: CVE-2023-28866 kernel: Bluetooth: HCI: global out-of-bounds access in net/blu...
Keywords:
Status: NEW
Alias: CVE-2023-28866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2186272 2186273
Blocks: 2181975
TreeView+ depends on / blocked
 
Reported: 2023-04-10 06:16 UTC by Avinash Hanwate
Modified: 2024-02-07 12:57 UTC (History)
48 users (show)

Fixed In Version: Kernel 6.3 RC4
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in net/bluetooth/hci_sync.c due to a missing exit patch while in loop in amp_init1[] and amp_init2[]. This issue could allow an attacker to leak internal kernel information.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-04-10 06:16:36 UTC 
In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.

https://lore.kernel.org/lkml/20230321015018.1759683-1-iam@sung-woo.kim/
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=95084403f8c070ccf5d7cbe72352519c1798a40a
https://patchwork.kernel.org/project/bluetooth/patch/20230322232543.3079578-1-luiz.dentz@gmail.com
Note You need to log in before you can comment on or make changes to this bug.