Changes

736 bytes added ,  03:41, 20 January 2022
Line 547: Line 547:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow
 +
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
 +
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
 +
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
 +
| [[13.2.1]]
 +
| [[13.2.1]]
 +
| November 2021
 +
| January 19, 2022
 +
| [[User:Yellows8|yellows8]]
 
|-
 
|-
 
| [[SSL_services|ssl]] CVE-2021-43527
 
| [[SSL_services|ssl]] CVE-2021-43527
Line 555: Line 565:  
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
 
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
 
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
 
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| 13.2.1
+
| [[13.2.1]]
| 13.2.1
+
| [[13.2.1]]
 
| Switch: December 1-2, 2021
 
| Switch: December 1-2, 2021
| Switch: Janurary 19, 2022
+
| Switch: January 19, 2022
 
|  
 
|  
 
|-
 
|-