bluetoothd crash when parsing invalid HIDP SDP record
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bluez (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
If a remote Bluetooth device contains HIDP SDP records in a specific invalid format, it is possible to crash BlueZ with SIGSEGV due to invalid memory reads, either by buffer overflow due to improper strncpy() usage or usage of arbitrary input as pointer.
The several patches that address this problem are already upstream and are present on the 5.1 release. These are the commits (some are cosmetic but required to avoid conflicts of next patches):
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
A patch backported from the above commits to the current BlueZ version on 12.04.1 LTS is attached. It was tested only on precise, but should apply just fine on more recent releases. Let me know you need specific versions of this patch.
I will also attach a script that reproduces the crash using an emulated BT dongle. Usage instructions are at https:/
NOTE: I tried to send a report which includes the crash information using apport-bug, but it did not seem to create a bug report here after 2 days.
Test script for reproducing crash using an emulated BT dongle (requires /dev/vhci support). Usage instructions at https:/ /github. com/lizardo/ bluez-tests/ blob/master/ README. rst.