Summary
The function le_advertising_report in /subsys/bluetooth/controller/hci/hci.c does not process the
advertising packet properly when copying data.
An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
Details
The code that cause buffer overflow is function le_advertising_report in
/subsys/bluetooth/controller/hci/hci.c.
In the following code, there are three lines of code that are the main causes of buffer overflow, labeled as
(1) and (2).
static void le_advertising_report(struct pdu_data *pdu_data,
struct node_rx_pdu *node_rx,
struct net_buf *buf)
{
const uint8_t c_adv_type[] = { 0x00, 0x01, 0x03, 0xff, 0x04,
0xff, 0x02 };
struct bt_hci_evt_le_advertising_report *sep;
struct pdu_adv *adv = (void *)pdu_data;
struct bt_hci_evt_le_advertising_info *adv_info;uint8_t data_len;
uint8_t info_len;
int8_t rssi;
...
if (adv->type != PDU_ADV_TYPE_DIRECT_IND) {
// (1) - Integer overflow
data_len = (adv->len - BDADDR_SIZE);
} else {
data_len = 0U;
}
info_len = sizeof(struct bt_hci_evt_le_advertising_info) + data_len +
sizeof(*prssi);
sep = meta_evt(buf, BT_HCI_EVT_LE_ADVERTISING_REPORT,
sizeof(*sep) + info_len);
...
adv_info = (void *)(((uint8_t *)sep) + sizeof(*sep));
...
adv_info->length = data_len;
// (2) - Buffer overflow
memcpy(&adv_info->data[0], &adv->adv_ind.data[0], data_len);
...
}(1) - Integer overflow
The value of adv->len is 1 and BDADDR_SIZE is equal to 6.
Since the type of data_len is uint8_t, the result of (adv->len - BDADDR_SIZE) will finally equal to
251 and save it into data_len . This is obviously an integer overflow, the value of adv->len should
be checked before this line.(2) - Buffer overflow
In this case, when I was debugging with central_hr with gdb, I saw the maximum size of buf is 45, so
copy 251 bytes into &adv_info->data[0] will definitely lead to buffer overflow
le_mesh_scan_report and le_ext_adv_legacy_report in /subsys/bluetooth/controller/hci/hci.c have
same vulnerable code pattern like le_advertising_report . I also observed buffer overflow occurring in
le_ext_adv_legacy_report , but it did not trigger a crash. The reason for this is that overflow data does
not overwrite data used by other functions.
Although these two functions did not trigger a crash during my tests, it should still be considered as
vulnerabilities. Since data layout depends on configuration, buffer overflow may triggered under certain
configuration.
Impact
An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
Patches
main: #61651
2.7: #61694
3.3: #61695
3.4: #61696
For more information
If you have any questions or comments about this advisory:
Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01
Credits
Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab.
xiaobye-ctf Reporter
Summary
The function le_advertising_report in /subsys/bluetooth/controller/hci/hci.c does not process the
advertising packet properly when copying data.
An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
Details
The code that cause buffer overflow is function le_advertising_report in
/subsys/bluetooth/controller/hci/hci.c.
In the following code, there are three lines of code that are the main causes of buffer overflow, labeled as
(1) and (2).
(1) - Integer overflow
The value of adv->len is 1 and BDADDR_SIZE is equal to 6.
Since the type of data_len is uint8_t, the result of (adv->len - BDADDR_SIZE) will finally equal to
251 and save it into data_len . This is obviously an integer overflow, the value of adv->len should
be checked before this line.(2) - Buffer overflow
In this case, when I was debugging with central_hr with gdb, I saw the maximum size of buf is 45, so
copy 251 bytes into &adv_info->data[0] will definitely lead to buffer overflow
le_mesh_scan_reportandle_ext_adv_legacy_reportin/subsys/bluetooth/controller/hci/hci.chavesame vulnerable code pattern like le_advertising_report . I also observed buffer overflow occurring in
le_ext_adv_legacy_report , but it did not trigger a crash. The reason for this is that overflow data does
not overwrite data used by other functions.
Although these two functions did not trigger a crash during my tests, it should still be considered as
vulnerabilities. Since data layout depends on configuration, buffer overflow may triggered under certain
configuration.
Impact
An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
Patches
main: #61651
2.7: #61694
3.3: #61695
3.4: #61696
For more information
If you have any questions or comments about this advisory:
Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01
Credits
Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab.