Linux Kernel Bluetooth L2CAP Type Confusion Vulnerability in Enhanced Credit Based Mode

A type confusion vulnerability has been identified in the Linux kernel's Bluetooth implementation, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. This issue arises in the 'l2cap_ecred_reconf_rsp()' function, which incorrectly casts incoming data to the 'l2cap_ecred_conn_rsp' structure instead of the appropriate 'l2cap_ecred_reconf_rsp' structure. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a type confusion error, causing the system to misinterpret data packets. This can result in valid L2CAP_ECRED_RECONF_RSP packets being rejected and incorrect data being processed when packets are large enough to bypass the initial checks.

Reproduction

The vulnerability can be reproduced by sending L2CAP_ECRED_RECONF_RSP packets that are large enough to pass the length check. The 'l2cap_ecred_reconf_rsp()' function will then read the 'result' data from the wrong offset, leading to incorrect data being processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.