Hi Matias, On Tue, Oct 16, 2018, Matias Karhumaa wrote: > Multiple different memory management vulnerabilities were discovered in > btmon while fuzzing it with American Fuzzy Lop. Purpose of this fuzzing > effort was to find some bugs in btmon, analyse and fix them but also try > to exploit them. Also goal was to prove that fuzzing is low effort way > to find bugs that could end up being severe ones. > > Most common weakness appeared to be buffer over-read which was usually > caused by missing boundary checks before accessing array. Integer > underflows were also quite common. Most interesting bug was simple > buffer overflow that was actually discovered already couple years ago > by op7ic: https://www.spinics.net/lists/linux-bluetooth/msg68898.html > but it was still not fixed. This particular vulnerability ended up being > quite easily exploitable if certain mitigation technics were disabled. > > Matias Karhumaa (12): > btmon: fix segfault caused by buffer over-read > btmon: fix segfault caused by buffer over-read > btmon: fix segfault caused by buffer over-read > btmon: Fix crash caused by integer underflow > btmon: fix stack buffer overflow > btmon: fix multiple segfaults > btmon: fix segfault caused by integer underflow > btmon: fix segfault caused by integer undeflow > btmon: fix segfault caused by buffer over-read > btmon: fix segfault caused by buffer overflow > btmon: fix segfault caused by integer underflow > btmon: fix segfault caused by buffer over-read > > monitor/packet.c | 56 +++++++++++++++++++++++++++++++++++++++++--- > monitor/sdp.c | 21 ++++++++++++++++- > src/shared/btsnoop.c | 5 ++++ > 3 files changed, 78 insertions(+), 4 deletions(-) All patches in this set have been applied. Thanks! Johan
