Linux Kernel Bluetooth Stack Buffer Overflow Vulnerability in LE BIG Synchronization

A stack buffer overflow vulnerability has been identified in the Linux kernel's Bluetooth implementation, specifically within the LE BIG synchronization process. The issue arises in the 'hci_le_big_create_sync()' function, which allocates space for a limited number of BIS entries on the stack. However, the actual number of entries can exceed this limit, leading to a memory overflow. This vulnerability is present in the Linux kernel stable tree and can be easily reproduced by binding an ISO socket with the maximum number of BIS entries, which triggers the faulty synchronization process and causes a stack memory corruption.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, where memory is overwritten beyond the allocated space, potentially allowing for arbitrary code execution or causing a crash.

Reproduction

The vulnerability can be reproduced by binding an ISO socket with the maximum number of BIS entries (31) and calling the 'listen()' function. This will trigger the 'hci_le_big_create_sync()' function from the HCI command synchronization worker, causing a stack-out-of-bounds write that is detectable by KASAN (Kernel Address Sanitizer).

Remediation

The vulnerability has been fixed by adjusting the buffer allocation to correctly match the maximum number of BIS entries that can be handled, ensuring that the synchronization process does not exceed the allocated stack space.