Linux Kernel Bluetooth L2CAP Stack-Out-Of-Bounds Read Vulnerability

A stack-out-of-bounds read vulnerability has been identified in the Linux kernel's Bluetooth L2CAP implementation. This issue arises in the 'l2cap_ecred_conn_req' function, which processes Enhanced Credit Based Connection Requests. The function allocates a local stack buffer intended to hold a maximum of five Source Channel IDs (SCIDs), totaling 18 bytes. However, if an attacker sends a request with more than five SCIDs, the function calculates the response length based on the unvalidated command length, potentially leading to a buffer over-read. This flaw was reported by Syzbot and can be exploited by sending a malformed connection request that exceeds the SCID limit.

Impact

Exploitation of this vulnerability causes a KASAN (Kernel Address Sanitizer) panic, indicating a stack-out-of-bounds read error. Such errors can often be exploited to gain unauthorized access to memory, potentially leading to arbitrary code execution or other serious consequences.

Reproduction

The vulnerability can be reproduced by sending an Enhanced Credit Based Connection Request with more than five Source Channel IDs to a device running the affected Linux kernel. The 'l2cap_ecred_conn_req' function will process the request, leading to a stack-out-of-bounds read error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.