xorl %eax, %eax

CVE-2011-1078: Linux kernel Bluethooth sco_conninfo Information Leak

leave a comment »

This is a common infoleak bug reported by Vasiliy Kulikov of Openwall. The exact code is located in net/bluetooth/sco.c as shown here.

static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
        struct sock *sk = sock->sk;
        struct sco_options opts;
        struct sco_conninfo cinfo;
        case SCO_CONNINFO:
                if (sk->sk_state != BT_CONNECTED) {
                        err = -ENOTCONN;

                cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
                memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);

                len = min_t(unsigned int, len, sizeof(cinfo));
                if (copy_to_user(optval, (char *)&cinfo, len))
                        err = -EFAULT;

        return err;

The ‘sco_conninfo’ structure is defined in the include/net/bluetooth/sco.h header file like this.

struct sco_conninfo {
        __u16 hci_handle;
        __u8  dev_class[3];

So, its total size is 5 Bytes (2 for ‘hci_handle’ and 3 for ‘dev_class[]’ array) but when compiled it includes an additional padding Byte for alignment purposes. Since the padding is not zeroed out, unprivileged users can read the entire structure leaking 1 Byte of kernel memory in each request.

Of course, the fix was to zero out the structure before passing it to the user land.

+		memset(&cinfo, 0, sizeof(cinfo));
 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;

Written by xorl

May 3, 2011 at 19:52

Posted in linux, vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s