Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630840 (CVE-2017-1000251) - kernel: RCE through L2CAP config requests/responses aka BlueBorne vulnerability (CVE-2017-1000251)
Summary: kernel: RCE through L2CAP config requests/responses aka BlueBorne vulnerabili...
Status: CONFIRMED
Alias: CVE-2017-1000251
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Kernel Security
URL: https://www.armis.com/blueborne/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-12 19:09 UTC by Thomas Deutschmann
Modified: 2017-09-17 12:40 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-09-12 19:09:09 UTC
From https://access.redhat.com/security/vulnerabilities/blueborne:

The Logical Link Control and Adaptation Layer Protocol (L2CAP) works at the data link layer in the Bluetooth stack. It provides services such as connection multiplexing, segmentation and reassembly of packets for upper layer protocols such as Bluetooth. It facilitates higher level protocols to transmit and receive L2CAP data packets to and from clients.

A stack buffer overflow issue was found in the way the Linux kernel's Bluetooth subsystem processed the pending configuration packets received from a client. As a result, a client could send arbitrary L2CAP configuration parameters which were stored in a stack buffer object. These parameters could exceed the buffer length, overwriting the adjacent kernel stack contents. This exchange occurs, prior to any authentication, when establishing a Bluetooth connection. An unauthenticated user, who is able to connect to a system via Bluetooth, could use this flaw to crash the system or potentially execute arbitrary code on the system, if the kernel stack protection feature (CONFIG_CC_STACKPROTECTOR=y) is not enabled.


Upstream fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3