[Kernel-packages] [Bug 1102700] Re: bluetoothd crash when parsing invalid HIDP SDP record

Sun, 02 Jul 2017 21:37:15 -0700 

[Expired for bluez (Ubuntu) because there has been no activity for 60
days.]

** Changed in: bluez (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1102700

Title:
  bluetoothd crash when parsing invalid HIDP SDP record

Status in bluez package in Ubuntu:
  Expired

Bug description:
  If a remote Bluetooth device contains HIDP SDP records in a specific
  invalid format, it is possible to crash BlueZ with SIGSEGV due to
  invalid memory reads, either by buffer overflow due to improper
  strncpy() usage or usage of arbitrary input as pointer.

  The several patches that address this problem are already upstream and
  are present on the 5.1 release. These are the commits (some are
  cosmetic but required to avoid conflicts of next patches):

  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=21acf2283cacf0c029f2cea82380f4744a1dbcb5
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=df29632772171d5fd0e71c518fc3753adb11d0c0
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=fce691bd0bd08710ffd379025e894bcffaa5acb6
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=90228fc151bac5f19b2d21c18d51ef90f3b0d1b5
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0f8aca093099d4fc693adc6270b9b0bd02287017
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=ce376961fb3a667ef35360c222bc3928d4657f4b
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=b41a46ef4c2bd9dc30998c6726ab6232a299c8e8
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=0305cfa11a06dea356f699a46da96f7146210466
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=5ba183dc82b4e8a1b3caa58648d6ac02b9325cb6
  
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=a35f83e113c1c58dd1c6cf8bda2b1bf99d07a695

  A patch backported from the above commits to the current BlueZ version
  on 12.04.1 LTS is attached. It was tested only on precise, but should
  apply just fine on more recent releases. Let me know you need specific
  versions of this patch.

  I will also attach a script that reproduces the crash using an
  emulated BT dongle. Usage instructions are at
  https://github.com/lizardo/bluez-tests/blob/master/README.rst

  NOTE: I tried to send a report which includes the crash information
  using apport-bug, but it did not seem to create a bug report here
  after 2 days.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1102700/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to