Zephyr Out-of-Bound Write Vulnerability in Bluetooth Mesh Provisioning

A potential out-of-bounds write vulnerability has been identified in the Bluetooth Mesh provisioning process within the Zephyr project, specifically in versions through 4.2. The issue arises in the 'gen_prov_start' function of 'pb_adv.c', where the full length of received data is copied into the 'link.rx.buf' receiver buffer without proper validation of the data size. This oversight allows malicious packets to write beyond the allocated buffer limits, potentially leading to arbitrary code execution. Such a vulnerability is particularly critical in real-time operating systems like Zephyr, commonly used in embedded devices that lack standard memory protection, although it could still cause a crash and denial-of-service on devices with some memory safeguards.

Impact

Exploitation of this vulnerability can cause an out-of-bounds write, which may lead to arbitrary code execution. In the context of Zephyr, this is especially severe due to the lack of common memory protection in embedded devices, although it could also result in a crash and denial-of-service on devices with some form of memory protection.

Remediation

Users are advised to update the validation in the 'gen_prov_start' function to ensure that the 'buf->len' field does not exceed the size of the receiver buffer. Patches are available for the main branch and versions 4.1 and 4.2.