4,620
edits
Changes
Jump to navigation
Jump to search
Line 547:
Line 547: + + + + + + + + + + Line 555:
Line 565: − + − + − +
→System Modules
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
| [[13.2.1]]
| [[13.2.1]]
| November 2021
| January 19, 2022
| [[User:Yellows8|yellows8]]
|-
|-
| [[SSL_services|ssl]] CVE-2021-43527
| [[SSL_services|ssl]] CVE-2021-43527
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| 13.2.1
| [[13.2.1]]
| 13.2.1
| [[13.2.1]]
| Switch: December 1-2, 2021
| Switch: December 1-2, 2021
| Switch: Janurary 19, 2022
| Switch: January 19, 2022
|
|
|-
|-