Changes

718 bytes added ,  17:59, 7 April 2021
Line 537: Line 537:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size
 +
| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.
 +
This requires access to the btdrv service, only hid and btm have access.
 +
 +
This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.
 +
| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.
 +
| [[12.0.0]]
 +
| [[12.0.0]]
 +
| July 16, 2020
 +
| April 7, 2021
 +
| [[User:Yellows8|yellows8]]
 
|-
 
|-
 
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
 
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698