CVE-2017-1000410

Name of the Vulnerable Software and Affected Versions Linux kernel versions 3.3-rc1 and later

Description The issue lies in the processing of incoming L2CAP commands, specifically ConfigRequest and ConfigResponse messages, due to uninitialized stack variables. This can lead to an information leak, allowing an attacker to bypass KASLR and stack canaries protection by manipulating code flows and leaking pointers and stack canaries. Combining this with a previously disclosed RCE vulnerability in L2CAP configuration parsing may enable exploitation against kernels built with mitigations.

The vulnerability is caused by the variable struct l2cap conf efs efs being declared without initialization in the functions l2cap parse conf rsp and l2cap parse conf req. When parsing input configuration parameters, the switch case for handling EFS elements may skip the memcpy call that writes to the efs variable, depending on the attacker-controlled olen value. As a result, the uninitialized efs variable is added to the outgoing configuration request, allowing an attacker to receive the uninitialized variable (16 bytes) by sending a configuration request or response with an L2CAP CONF EFS element and an element length that is not sizeof(efs).

Recommendations For Linux kernel versions 3.3-rc1 and later, consider disabling the l2cap parse conf rsp and l2cap parse conf req functions until a patch is available. Restrict access to the L2CAP configuration parsing module to minimize the risk of exploitation. Avoid using the L2CAP CONF EFS element in configuration requests or responses until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.