4,620
edits
Changes
Jump to navigation
Jump to search
Line 547:
Line 547: + + + + + + + + + + + + Line 572:
Line 584: − +
→System Modules
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
This requires access to the btdrv service, only hid and btm have access.
This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
| Stack buffer overflow
| [[12.1.0]]
| [[12.1.0]]
| July 16, 2020
| July 6, 2021
| [[User:Yellows8|yellows8]]
|-
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| [[12.0.0]]
| [[12.0.0]]
| [[12.0.0]]
| [[12.0.0]]
| July 16, 2020
| July 17, 2020
| April 7, 2021
| April 7, 2021
| [[User:Yellows8|yellows8]]
| [[User:Yellows8|yellows8]]