Multiple different memory management vulnerabilities were discovered in btmon while fuzzing it with American Fuzzy Lop. Purpose of this fuzzing effort was to find some bugs in btmon, analyse and fix them but also try to exploit them. Also goal was to prove that fuzzing is low effort way to find bugs that could end up being severe ones. Most common weakness appeared to be buffer over-read which was usually caused by missing boundary checks before accessing array. Integer underflows were also quite common. Most interesting bug was simple buffer overflow that was actually discovered already couple years ago by op7ic: https://www.spinics.net/lists/linux-bluetooth/msg68898.html but it was still not fixed. This particular vulnerability ended up being quite easily exploitable if certain mitigation technics were disabled. Matias Karhumaa (12): btmon: fix segfault caused by buffer over-read btmon: fix segfault caused by buffer over-read btmon: fix segfault caused by buffer over-read btmon: Fix crash caused by integer underflow btmon: fix stack buffer overflow btmon: fix multiple segfaults btmon: fix segfault caused by integer underflow btmon: fix segfault caused by integer undeflow btmon: fix segfault caused by buffer over-read btmon: fix segfault caused by buffer overflow btmon: fix segfault caused by integer underflow btmon: fix segfault caused by buffer over-read monitor/packet.c | 56 +++++++++++++++++++++++++++++++++++++++++--- monitor/sdp.c | 21 ++++++++++++++++- src/shared/btsnoop.c | 5 ++++ 3 files changed, 78 insertions(+), 4 deletions(-) -- 2.17.1
