Bug 1192394 (CVE-2021-43400) - VUL-0: CVE-2021-43400: bluez: use-after-free in gatt-database.c
Summary: VUL-0: CVE-2021-43400: bluez: use-after-free in gatt-database.c
Status: RESOLVED FIXED
Alias: CVE-2021-43400
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/314278/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-43400:4.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-05 15:29 UTC by Thomas Leroy
Modified: 2022-11-15 14:32 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2021-11-09 13:15:02 UTC
The bug was introduced by commit [0], present from version 5.40 to version 5.61 (included).
 
This commit introduces a `struct btd_device *device;` in `struct pending_op` in the gatt-database.c file. The device pointer is the same for every pending operations. 
In the `write_setup_cb` function, there is a window where op->device can be freed by calling `pending_op_free`, which is done when a user disconnects. Consequently, the op->device dereferenced in `append_options` can point to a freed memory chunk, potentially containing sensitive data, which is then inserted into an internal dictionary. This is problematic if a user manages to read every value in the dictionary after having won the race condition.

This issue is fixed by [1] in version 5.62.

Affected codestreams are:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP3:Update


[0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f

[1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8
Comment 11 Swamp Workflow Management 2022-10-21 16:25:01 UTC
SUSE-SU-2022:3687-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1186463,1188859,1192394,1193227,1193237
CVE References: CVE-2019-8921,CVE-2019-8922,CVE-2020-26558,CVE-2021-0129,CVE-2021-3658,CVE-2021-43400
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise Server for SAP 15 (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise Server 15-LTSS (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    bluez-5.48-150000.5.41.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    bluez-5.48-150000.5.41.1
SUSE Enterprise Storage 6 (src):    bluez-5.48-150000.5.41.1
SUSE CaaS Platform 4.0 (src):    bluez-5.48-150000.5.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-10-21 16:27:51 UTC
SUSE-SU-2022:3691-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1186463,1188859,1192394,1193227,1193237
CVE References: CVE-2019-8921,CVE-2019-8922,CVE-2020-26558,CVE-2021-0129,CVE-2021-3658,CVE-2021-43400
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    bluez-5.48-150200.13.17.1
SUSE Manager Retail Branch Server 4.1 (src):    bluez-5.48-150200.13.17.1
SUSE Manager Proxy 4.1 (src):    bluez-5.48-150200.13.17.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    bluez-5.48-150200.13.17.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    bluez-5.48-150200.13.17.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    bluez-5.48-150200.13.17.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    bluez-5.48-150200.13.17.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    bluez-5.48-150200.13.17.1
SUSE Enterprise Storage 7 (src):    bluez-5.48-150200.13.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-11-15 14:32:25 UTC
SUSE-SU-2022:3981-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188859,1192394
CVE References: CVE-2021-3658,CVE-2021-43400
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    bluez-5.55-150300.3.14.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    bluez-5.55-150300.3.14.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    bluez-5.55-150300.3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    bluez-5.55-150300.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.