Bugzilla – Bug 1013893
VUL-0: CVE-2016-9802: bluez: buffer over-read in l2cap_packet()
Last modified: 2022-09-16 13:40:56 UTC
In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1401541 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9802 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9802.html http://www.cvedetails.com/cve/CVE-2016-9802/
Created attachment 705035 [details] dump file to reproduce the issue
The affected code is only contained in codestreams SUSE:SLE-12:Update, SUSE:SLE-12-SP2:Update. QA reproducer: I was NOT able to reproduce the issue using the attached dump file on SLES-12-SP2. The supposed command to reproduce is: btmon -r CVE-2016-9802 There is no visible crash or valgrind errors in my case. The original reporter used a bluez version compiled with '-fsanitize=address'.
bugbot adjusting priority
Not in regularly maintained products, closing
sorry, misread that. Please submit for SLE 12 SP2. Thank you
sr:182543 (SLE-15) sr:184226 (SLE12) sr:184227 (SLE12-SP2)
Has this been fixed on 12SP4? Is there a schedule?
(In reply to Deshun Wang from comment #10) > Has this been fixed on 12SP4? Is there a schedule? https://build.suse.de/request/show/184227 it was already accepted. From Marcus (on http://bugzilla.suse.com/show_bug.cgi?id=1015173#c15) the update is in queue, will be released in the next days / 2 weeks
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171,1015173 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP3 (src): bluez-5.13-5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: openSUSE Leap 15.1 (src): bluez-5.48-lp151.8.3.1 openSUSE Leap 15.0 (src): bluez-5.48-lp150.4.13.1
The bug was not fixed after applying the update: Before: ------- sles15:/work/bluez # valgrind hcidump -a -r CVE-2016-9802 ==29791== Memcheck, a memory error detector ==29791== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==29791== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==29791== Command: hcidump -a -r CVE-2016-9802 ==29791== HCI sniffer - Bluetooth packet analyzer ver 5.48 packet logger data format < HCI Command: Unknown (0x00|0x0003) plen 16 . # . . . . . . . . . . ==29791== Syscall param read(buf) points to unaddressable byte(s) ==29791== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==29791== by 0x10F5AD: ??? (in /usr/bin/hcidump) ==29791== by 0x10F140: ??? (in /usr/bin/hcidump) ==29791== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29791== Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd ==29791== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29791== by 0x10F0B8: ??? (in /usr/bin/hcidump) ==29791== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29791== ==29791== ==29791== HEAP SUMMARY: ==29791== in use at exit: 14 bytes in 1 blocks ==29791== total heap usage: 3 allocs, 2 frees, 2,538 bytes allocated ==29791== ==29791== LEAK SUMMARY: ==29791== definitely lost: 0 bytes in 0 blocks ==29791== indirectly lost: 0 bytes in 0 blocks ==29791== possibly lost: 0 bytes in 0 blocks ==29791== still reachable: 14 bytes in 1 blocks ==29791== suppressed: 0 bytes in 0 blocks ==29791== Rerun with --leak-check=full to see details of leaked memory ==29791== ==29791== For counts of detected and suppressed errors, rerun with: -v ==29791== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0) After: ------ sles15:/work/bluez # valgrind hcidump -a -r CVE-2016-9802 ==27822== Memcheck, a memory error detector ==27822== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==27822== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==27822== Command: hcidump -a -r CVE-2016-9802 ==27822== HCI sniffer - Bluetooth packet analyzer ver 5.48 packet logger data format < HCI Command: Unknown (0x00|0x0003) plen 16 . # . . . . . . . . . . ==27822== Syscall param read(buf) points to unaddressable byte(s) ==27822== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==27822== by 0x10F84D: ??? (in /usr/bin/hcidump) ==27822== by 0x10F150: ??? (in /usr/bin/hcidump) ==27822== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==27822== Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd ==27822== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27822== by 0x10F0C8: ??? (in /usr/bin/hcidump) ==27822== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==27822== ==27822== ==27822== HEAP SUMMARY: ==27822== in use at exit: 14 bytes in 1 blocks ==27822== total heap usage: 3 allocs, 2 frees, 2,538 bytes allocated ==27822== ==27822== LEAK SUMMARY: ==27822== definitely lost: 0 bytes in 0 blocks ==27822== indirectly lost: 0 bytes in 0 blocks ==27822== possibly lost: 0 bytes in 0 blocks ==27822== still reachable: 14 bytes in 1 blocks ==27822== suppressed: 0 bytes in 0 blocks ==27822== Rerun with --leak-check=full to see details of leaked memory ==27822== ==27822== For counts of detected and suppressed errors, rerun with: -v ==27822== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.