Skip to content

gatt_find_info_rsp integer underflow

Moderate
ceolin published GHSA-gmfv-4vfh-2mh8 Mar 29, 2024

Package

zephyr (zephyr)

Affected versions

<= 3.6

Patched versions

None

Description

Summary

The function gatt_find_info_rsp in subsys/bluetooth/host/gatt.c does not process the gatt packet
properly when parsing data.
An malicious BLE device can crash BLE victim device by sending malformed gatt packet.

static void gatt_find_info_rsp(struct bt_conn *conn, uint8_t err,
			       const void *pdu, uint16_t length,
			       void *user_data)
{
	const struct bt_att_find_info_rsp *rsp = pdu;
	struct bt_gatt_discover_params *params = user_data;
	uint16_t handle = 0U;
	uint16_t len;
	union {
		const struct bt_att_info_16 *i16;
		const struct bt_att_info_128 *i128;
	} info;
	union {
		struct bt_uuid uuid;
		struct bt_uuid_16 u16;
		struct bt_uuid_128 u128;
	} u;
	int i;
	bool skip = false;
	...
	// (1) - Integer underflow occurs when length is 0
	length--;
	/* Check if there is a least one descriptor in the response */
	if (length < len) {
		goto done;
	}
	/* Parse descriptors found */
	for (i = length / len, pdu = rsp->info; i != 0;
	     i--, pdu = (const uint8_t *)pdu + len) {
		struct bt_gatt_attr attr;
		// (2) - pdu could be an invalid pointer
		info.i16 = pdu;handle = sys_le16_to_cpu(info.i16->handle);
		if (skip) {
			skip = false;
			continue;
		}
		switch (u.uuid.type) {
		case BT_UUID_TYPE_16:
			// (3) - Accessing invalid point will result in a crash
			u.u16.val = sys_le16_to_cpu(info.i16->uuid);
			break;
		case BT_UUID_TYPE_128:
			memcpy(u.u128.val, info.i128->uuid, 16);
			break;
		}
		...
	}
	...
}
  • (1) - Integer underflow occurs when length is 0. Since the forth argument which is length of this function may be 0, length-- could lead to integer underflow (0xffff).
  • (2) - pdu could be an invalid pointer. In the for loop, the number of iterations is determined by length / len . In each iteration, pdu will be assigned to (const uint8_t *)pdu + len . Due to (1), pdu could be assigned to an invalid pointer that is outside the boundary of pdu.
  • (3) - Accessing invalid point will result in a crash. In (2), pdu is assigned to an invalid pointer, so attempting to access info.i16->handle will result in a crash.

Functions Susceptible to Vulnerabilities:
In subsys/bluetooth/host/gatt.c, parse_include, parse_characteristic , parse_read_std_char_desc, parse_service and parse_read_by_uuid have same same vulnerable pattern. These functions could also be vulnerable.

Patches

main: #69396

For more information

If you have any questions or comments about this advisory:

embargo: 2024-03-10

Credits

Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept.
of CS, Security and Systems Lab.

Severity

Moderate
6.8
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2024-3077

Weaknesses

Credits