xorl %eax, %eax

CVE-2011-1078: Linux kernel Bluethooth sco_conninfo Information Leak

leave a comment »

This is a common infoleak bug reported by Vasiliy Kulikov of Openwall. The exact code is located in net/bluetooth/sco.c as shown here.

static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
{
        struct sock *sk = sock->sk;
        struct sco_options opts;
        struct sco_conninfo cinfo;
  ...
        case SCO_CONNINFO:
                if (sk->sk_state != BT_CONNECTED) {
                        err = -ENOTCONN;
                        break;
                }

                cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
                memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);

                len = min_t(unsigned int, len, sizeof(cinfo));
                if (copy_to_user(optval, (char *)&cinfo, len))
                        err = -EFAULT;

                break;
  ...
        release_sock(sk);
        return err;
}

The ‘sco_conninfo’ structure is defined in the include/net/bluetooth/sco.h header file like this.

struct sco_conninfo {
        __u16 hci_handle;
        __u8  dev_class[3];
};

So, its total size is 5 Bytes (2 for ‘hci_handle’ and 3 for ‘dev_class[]’ array) but when compiled it includes an additional padding Byte for alignment purposes. Since the padding is not zeroed out, unprivileged users can read the entire structure leaking 1 Byte of kernel memory in each request.

Of course, the fix was to zero out the structure before passing it to the user land.

 
+		memset(&cinfo, 0, sizeof(cinfo));
 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;

Written by xorl

May 3, 2011 at 19:52

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s