Impact
What kind of vulnerability is it? Who is impacted?
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. If Transaction Continue PDU is received before the Transaction Start PDU (i.e., start segment lost), the SegN will be initialized as 0xff, which allows subsequent SegO up to 63 and leads to out-of-bound write.
Consider a situation that a Transaction Continue PDU is received first, with SegO greater than 2.
SegN (link.rx.last_seg) will be temporarily set as 0xff (SEG_NVAL).
Since SegN is 0xff now, we can pass the check SegO <= SegN.
Then comes to the memcpy. Since SegO is greater than 2, XACT_SEG_DATA(seg) is greater than 20 + (2-1)×23 = 43, data will be copied beyond 43 + 23 = 66, which exceeds the size of rx_buf, causing out-of-bound write.
Credits
Han Yan(闫晗),Lewei Qu(曲乐炜),Dongxiang Ke(柯懂湘) of Baidu AIoT Security Team
For more information
If you have any questions or comments about this advisory:
embargo: 2022-06-19
Patches
This has been fixed in:
Impact
What kind of vulnerability is it? Who is impacted?
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. If Transaction Continue PDU is received before the Transaction Start PDU (i.e., start segment lost), the SegN will be initialized as 0xff, which allows subsequent SegO up to 63 and leads to out-of-bound write.
Consider a situation that a Transaction Continue PDU is received first, with SegO greater than 2.
SegN (link.rx.last_seg) will be temporarily set as 0xff (SEG_NVAL).
Since SegN is 0xff now, we can pass the check SegO <= SegN.
Then comes to the memcpy. Since SegO is greater than 2, XACT_SEG_DATA(seg) is greater than 20 + (2-1)×23 = 43, data will be copied beyond 43 + 23 = 66, which exceeds the size of rx_buf, causing out-of-bound write.
Credits
Han Yan(闫晗),Lewei Qu(曲乐炜),Dongxiang Ke(柯懂湘) of Baidu AIoT Security Team
For more information
If you have any questions or comments about this advisory:
embargo: 2022-06-19
Patches
This has been fixed in: