Linux Kernel Bluetooth L2CAP Information Response Payload Length Validation Vulnerability

A vulnerability in the Linux kernel's Bluetooth L2CAP implementation allows for out-of-bounds reads due to improper validation of the L2CAP_INFO_RSP payload length. The issue arises in the l2cap_information_rsp() function, which processes the response without ensuring that the payload is complete. This flaw can be exploited by sending a truncated L2CAP_INFO_RSP with a specific result, leading to unauthorized access of adjacent data and potentially causing memory corruption.

Impact

Exploitation of this vulnerability can result in out-of-bounds memory reads, which may lead to information disclosure or memory corruption.

Reproduction

To reproduce this vulnerability, send a malformed L2CAP_INFO_RSP response that is truncated and has the result set to L2CAP_IR_SUCCESS. This will trigger the out-of-bounds read by the l2cap_information_rsp() function, as it will attempt to access payload data that is not present.

Remediation

The vulnerability has been addressed by adding proper payload length checks before accessing the L2CAP_INFO_RSP data. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.