lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID:
 <SA2PR22MB2697E3286F69BADCE0B70A4CBFB02@SA2PR22MB2697.namprd22.prod.outlook.com>
Date: Tue, 30 Jul 2024 19:31:09 +0000
From: "Zhang, Yiwei" <zhan4630@...due.edu>
To: "marcel@...tmann.org" <marcel@...tmann.org>, "johan.hedberg@...il.com"
	<johan.hedberg@...il.com>, "luiz.dentz@...il.com" <luiz.dentz@...il.com>
CC: "linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "Karim,
 Imtiaz" <karim7@...due.edu>
Subject: Potential Null Pointer Dereference in pair_device() in mgmt.c

Please disregard the previous email. I have modified the email to plain text format. I apologize for any inconvenience this may have caused.


To whom it may concern,

I am writing to report a potential security vulnerability in a Bluetooth stack implementation, specifically in the hci_conn_params_add and pair_device functions. The issue identified is a potential null pointer dereference, which can lead to a system crash or other unintended behaviors.

The details of the bug are as follows:


1. Affected Components
Function: linux/net/bluetooth/hci_core.c hci_conn_params_add
Function: linux/net/bluetooth/mgmt.c pair_device
Module: Bluetooth connection parameter management
Code: https://github.com/torvalds/linux/tree/master
Version: the newest version v6.11-rc1

2. Description
The hci_conn_params_add function is responsible for adding connection parameters for a Bluetooth device. It first attempts to look up existing parameters using hci_conn_params_lookup. If no existing parameters are found, it allocates a new structure using kzalloc, which will return NULL if the allocation fails. 
However, the pair_device function, which calls hci_conn_params_add, does not properly handle the case where hci_conn_params_add returns NULL, indicating a failure to allocate memory. The immediate dereference of the returned pointer p without checking for NULL can lead to a null pointer dereference, causing the program to crash.

3. Technical Details
struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
					    bdaddr_t *addr, u8 addr_type)
{
	struct hci_conn_params *params;

	params = hci_conn_params_lookup(hdev, addr, addr_type);
	if (params)
		return params;

	params = kzalloc(sizeof(*params), GFP_KERNEL);
	if (!params) {
		bt_dev_err(hdev, "out of memory");
		return NULL; // [BUG] return here
	}

	bacpy(&params->addr, addr);
	params->addr_type = addr_type;

	list_add(&params->list, &hdev->le_conn_params);
	INIT_LIST_HEAD(&params->action);

	params->conn_min_interval = hdev->le_conn_min_interval;
	params->conn_max_interval = hdev->le_conn_max_interval;
	params->conn_latency = hdev->le_conn_latency;
	params->supervision_timeout = hdev->le_supv_timeout;
	params->auto_connect = HCI_AUTO_CONN_DISABLED;

	BT_DBG("addr %pMR (type %u)", addr, addr_type);

	return params;
}

static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
		       u16 len)
{
...
        p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type; // [BUG] P is NULL 
        if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) // [BUG] NULL POINTER DEREFERENCE
	        p->auto_connect = HCI_AUTO_CONN_DISABLED;
...
}

Vulnerable Code Stack:
pair_device calls hci_conn_params_add at line 3458 in linux/net/bluetooth/mgmt.c
hci_conn_params_add is called and may return NULL if memory allocation fails at line 2280 in linux/net/bluetooth/hci_core.c
pair_device does not check if p is NULL before accessing p->auto_connect. at line 3460 in linux/net/bluetooth/mgmt.c

4. Potential Impact
Denial of Service (DoS): If the system encounters this null pointer dereference during runtime, it could crash, leading to a denial of service. 
Security Concerns: While the primary issue appears to be a potential crash, depending on the context and how the function is used, there may be other security implications such as unintended code execution or information leakage.

5. Exploitation
For an attacker to exploit this vulnerability, they would need to:
Trigger a condition where hci_conn_params_add returns NULL (such as exhausting system memory).
Ensure that the pair_device function is subsequently called with the NULL pointer, causing the null pointer dereference.

6. Mitigation and Recommendations
Null Pointer Check: Add a null pointer check after the call to hci_conn_params_add in the pair_devicefunction. Ensure that the function gracefully handles the NULL case, possibly by returning an error code or taking other corrective actions.
Example:
p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
if (!p) {
    bt_dev_err(hdev, "Failed to add connection params");
    return -ENOMEM;
}


I would appreciate your response to this report and any follow-up actions that will be taken. Please free to let me know if any problems.
Thank you for your attention to this matter. I look forward to your prompt response.

Best regards,
Yiwei Zhang
Purdue University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ