Linux Kernel Bluetooth L2CAP PDU Length Validation Vulnerability

A vulnerability in the Linux kernel's Bluetooth implementation, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer, has been addressed. The issue arose because the function 'l2cap_ecred_data_rcv()' read the SDU (Service Data Unit) length from the packet data without first checking if the packet contained the required minimum length. This oversight allowed the function to read past the end of the valid data, potentially leading to memory corruption. The vulnerability was present in several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing the reading of data beyond the valid bounds of a packet, which could be manipulated to cause unintended behavior in the application or system.

Reproduction

The vulnerability can be reproduced by sending a Bluetooth packet to a device running an affected version of the Linux kernel that uses the Enhanced Credit Based Flow Control data path. The packet must be crafted to have a length less than the required minimum, causing the 'l2cap_ecred_data_rcv()' function to read past the valid data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.