Changes

Switch System Flaws (view source)

Revision as of 17:59, 7 April 2021

718 bytes added , 17:59, 7 April 2021

→‎System Modules

Line 537: Line 537:

! Public disclosure timeframe

! Discovered by

+

|-

+

| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size

+

| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.

+

This requires access to the btdrv service, only hid and btm have access.

+

This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.

+

| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.

+

| [[12.0.0]]

+

| [[12.0.0]]

+

| July 16, 2020

+

| April 7, 2021

+

| [[User:Yellows8|yellows8]]

|-

| [[Bluetooth_Driver_services|Bluetooth]] A-63146698

Yellows8

Bureaucrats, Administrators

4,620

edits