4,563
edits
Changes
Jump to navigation
Jump to search
Line 585:
Line 585: + + + + + + + + + + + + + +
→System Modules
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA bsa_sv_av_cback stack buffer overflow
| bsa_sv_av_cback checks for two input type values (0xC/0xD), on match it copies the input data to stack without size validation. Then it sends an internal request with this data (likewise when the type values don't match, except the input data is passed directly with a small size), then it returns.
This requires the AV functionality added with [13.0.0+], however this func is only reachable with [14.0.0+] where the required functionality was enabled.
This requires message data that's larger than the MTU, so fragmentation must be used, or manually send the ACL data to bypass the MTU.
This can be triggered via an AVRC message with opcode=0x0 (vendor). The above type 0xC is reached via AVRC ctype 0..4, while 0xD is reached with ctype>=0x9.
| Bluetooth-sysmodule stack buffer overflow on [14.0.0-14.1.2], with data received from an AVRC bluetooth message with a bluetooth-audio device.
| [[15.0.0]]
| [[15.0.0]]
| November 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
|-
| Broken RNG used by [[NS_Services|ns]]
| Broken RNG used by [[NS_Services|ns]]