Bugzilla – Bug 1013708
VUL-0: CVE-2016-9797: bluez,bluez-hcidump: buffer over-read in l2cap_dump()
Last modified: 2020-09-16 11:02:31 UTC
In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1401520 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9797 http://www.cvedetails.com/cve/CVE-2016-9797/ https://www.spinics.net/lists/linux-bluetooth/msg68892.html
Created attachment 704864 [details] hcidump file that causes the issue
Only SLE-12* codestreams are affected. In SLE-11 the code in question is not yet existing. QA reproducer: The attached dump file can be used to trigger the issue using the following command: valgrind hcidump -a -r cve-9797.poc.dec I was able to reproduce the issue on SLES-12-SP2. The program will not crash but valgrind will print errors about invalid reads.
bugbot adjusting priority
(In reply to Matthias Gerstner from comment #2) > Only SLE-12* codestreams are affected. In SLE-11 the code in question is not > yet existing. Would you please let me know which version in SLE-11 ? is it bluez-4.99 or bluez-4.22? > > QA reproducer: The attached dump file can be used to trigger the issue using > the following command: > > valgrind hcidump -a -r cve-9797.poc.dec > > I was able to reproduce the issue on SLES-12-SP2. The program will not crash > but valgrind will print errors about invalid reads.
(In reply to Al Cho from comment #4) > Would you please let me know which version in SLE-11 ? is it bluez-4.99 or > bluez-4.22? We currently have three codestreams for SLE-11 with following versions for bluez: SUSE:SLE-11-SP1:Update/bluez/bluez.spec:Version: 4.51 SUSE:SLE-11-SP3:Update/bluez/bluez.spec:Version: 4.99 SUSE:SLE-11-SP4:Update/bluez/bluez.spec:Version: 4.99 Most of the current bugs regarding bluez affect the 'hcidump' tool which is not contained in these versions of bluez. Instead there is a separate package bluez-hcidump that exists only for one codestream: ./SUSE:SLE-11-SP1:Update/bluez-hcidump/bluez-hcidump.spec:Version: 1.42
sr: 191318 (SLE-12) sr: 191319 (SLE-12-SP2) sr: 191321 (SLE-15)
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171,1015173 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP3 (src): bluez-5.13-5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: openSUSE Leap 15.1 (src): bluez-5.48-lp151.8.3.1 openSUSE Leap 15.0 (src): bluez-5.48-lp150.4.13.1
This bug was not fixed by the update according to the output bellow: Before: ------- sles15:/work/bluez # valgrind hcidump -a -r cve-9797.poc.dec ==29462== Memcheck, a memory error detector ==29462== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==29462== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==29462== Command: hcidump -a -r cve-9797.poc.dec ==29462== HCI sniffer - Bluetooth packet analyzer ver 5.48 ==29462== Syscall param read(buf) points to unaddressable byte(s) ==29462== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==29462== by 0x10F5AD: ??? (in /usr/bin/hcidump) ==29462== by 0x10F32D: ??? (in /usr/bin/hcidump) ==29462== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29462== Address 0x51f4abc is 0 bytes after a block of size 1,500 alloc'd ==29462== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29462== by 0x10F0B8: ??? (in /usr/bin/hcidump) ==29462== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29462== ==29462== ==29462== HEAP SUMMARY: ==29462== in use at exit: 17 bytes in 1 blocks ==29462== total heap usage: 3 allocs, 2 frees, 2,541 bytes allocated ==29462== ==29462== LEAK SUMMARY: ==29462== definitely lost: 0 bytes in 0 blocks ==29462== indirectly lost: 0 bytes in 0 blocks ==29462== possibly lost: 0 bytes in 0 blocks ==29462== still reachable: 17 bytes in 1 blocks ==29462== suppressed: 0 bytes in 0 blocks ==29462== Rerun with --leak-check=full to see details of leaked memory ==29462== ==29462== For counts of detected and suppressed errors, rerun with: -v ==29462== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0) After: ------ sles15:/work/bluez # valgrind hcidump -a -r cve-9797.poc.dec ==23716== Memcheck, a memory error detector ==23716== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==23716== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==23716== Command: hcidump -a -r cve-9797.poc.dec ==23716== HCI sniffer - Bluetooth packet analyzer ver 5.48 ==23716== Syscall param read(buf) points to unaddressable byte(s) ==23716== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==23716== by 0x10F84D: ??? (in /usr/bin/hcidump) ==23716== by 0x10F33D: ??? (in /usr/bin/hcidump) ==23716== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==23716== Address 0x51f4abc is 0 bytes after a block of size 1,500 alloc'd ==23716== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==23716== by 0x10F0C8: ??? (in /usr/bin/hcidump) ==23716== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==23716== ==23716== ==23716== HEAP SUMMARY: ==23716== in use at exit: 17 bytes in 1 blocks ==23716== total heap usage: 3 allocs, 2 frees, 2,541 bytes allocated ==23716== ==23716== LEAK SUMMARY: ==23716== definitely lost: 0 bytes in 0 blocks ==23716== indirectly lost: 0 bytes in 0 blocks ==23716== possibly lost: 0 bytes in 0 blocks ==23716== still reachable: 17 bytes in 1 blocks ==23716== suppressed: 0 bytes in 0 blocks ==23716== Rerun with --leak-check=full to see details of leaked memory ==23716== ==23716== For counts of detected and suppressed errors, rerun with: -v ==23716== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done