Linux Kernel Bluetooth Long Term Key Management Buffer Overflow Vulnerability

A vulnerability in the Linux kernel's Bluetooth management layer has been addressed. This issue arises from the handling of Long Term Keys (LTKs), where the user-defined encryption size can exceed the buffer limit, leading to a stack buffer overflow. The vulnerability is present in the management of LTK records, specifically when responding to Low Energy LTK requests. Oversized encryption sizes were not properly validated, allowing invalid keys to disrupt the key management state. The flaw has been corrected by implementing checks to reject excessive encryption sizes before they can cause harm.

Impact

Exploitation of this vulnerability could result in a stack buffer overflow, a common precursor to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading a Long Term Key with an encryption size greater than 16 bytes. This can be done by manipulating the key management process to include an oversized encryption size, which will then be used in a way that exceeds the buffer limit when responding to Low Energy LTK requests.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.