Changes

Line 547: Line 547:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
 +
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
 +
This requires access to the btdrv service, only hid and btm have access.
 +
 +
This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
 +
| Stack buffer overflow
 +
| [[12.1.0]]
 +
| [[12.1.0]]
 +
| July 16, 2020
 +
| July 6, 2021
 +
| [[User:Yellows8|yellows8]]
 
|-
 
|-
 
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
 
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
Line 572: Line 584:  
| [[12.0.0]]
 
| [[12.0.0]]
 
| [[12.0.0]]
 
| [[12.0.0]]
| July 16, 2020
+
| July 17, 2020
 
| April 7, 2021
 
| April 7, 2021
 
| [[User:Yellows8|yellows8]]
 
| [[User:Yellows8|yellows8]]