Linux Kernel Bluetooth Management Stack-Out-Of-Bounds Vulnerability in Mesh Synchronization

A stack-out-of-bounds vulnerability has been identified in the Linux kernel's Bluetooth management component, specifically within the mesh synchronization functions. This issue arises from a memory copy operation that improperly handles a flexible array, leading to a potential crash. Additionally, a related crash occurs in the 'set_mesh_complete' function due to a double list removal operation. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a stack-out-of-bounds error, which can lead to a crash or potentially allow for arbitrary memory manipulation.

Reproduction

The vulnerability can be reproduced by invoking the Bluetooth management operations 'set_mesh_sync' and 'set_mesh_complete' with improperly formatted data that includes a flexible array. This can be done by sending a management command that exceeds the expected boundaries of the array, triggering the stack-out-of-bounds condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.