Bug 1013708 (CVE-2016-9797)

Summary: VUL-0: CVE-2016-9797: bluez,bluez-hcidump: buffer over-read in l2cap_dump()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, acho, atanno, atoptsoglou, matthias.gerstner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/177090/
Whiteboard: CVSSv3:NVD:CVE-2016-9797:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2016-9797:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2016-9797:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-9797:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-9797:1.2:(AV:L/AC:H/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1013712    
Bug Blocks:    
Attachments: hcidump file that causes the issue

Description Matthias Gerstner 2016-12-05 16:25:01 UTC 
In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function in
"tools/parser/l2cap.c" source file. This issue can be triggered by processing a
corrupted dump file and will result in hcidump crash.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1401520
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9797
http://www.cvedetails.com/cve/CVE-2016-9797/
https://www.spinics.net/lists/linux-bluetooth/msg68892.html
Comment 1 Matthias Gerstner 2016-12-05 16:26:31 UTC 
Created attachment 704864 [details]
hcidump file that causes the issue
Comment 2 Matthias Gerstner 2016-12-05 16:28:03 UTC 
Only SLE-12* codestreams are affected. In SLE-11 the code in question is not yet existing.

QA reproducer: The attached dump file can be used to trigger the issue using the following command:

  valgrind hcidump -a -r cve-9797.poc.dec

I was able to reproduce the issue on SLES-12-SP2. The program will not crash but valgrind will print errors about invalid reads.
Comment 3 Swamp Workflow Management 2016-12-05 23:03:38 UTC 
bugbot adjusting priority
Comment 4 Al Cho 2016-12-06 09:58:40 UTC 
(In reply to Matthias Gerstner from comment #2)
> Only SLE-12* codestreams are affected. In SLE-11 the code in question is not
> yet existing.

Would you please let me know which version in SLE-11 ? is it bluez-4.99 or bluez-4.22?

> 
> QA reproducer: The attached dump file can be used to trigger the issue using
> the following command:
> 
>   valgrind hcidump -a -r cve-9797.poc.dec
> 
> I was able to reproduce the issue on SLES-12-SP2. The program will not crash
> but valgrind will print errors about invalid reads.
Comment 5 Matthias Gerstner 2016-12-06 10:23:14 UTC 
(In reply to Al Cho from comment #4)

> Would you please let me know which version in SLE-11 ? is it bluez-4.99 or
> bluez-4.22?

We currently have three codestreams for SLE-11 with following versions for bluez: 

SUSE:SLE-11-SP1:Update/bluez/bluez.spec:Version:        4.51
SUSE:SLE-11-SP3:Update/bluez/bluez.spec:Version:        4.99
SUSE:SLE-11-SP4:Update/bluez/bluez.spec:Version:        4.99

Most of the current bugs regarding bluez affect the 'hcidump' tool which is not contained in these versions of bluez. Instead there is a separate package bluez-hcidump that exists only for one codestream:

./SUSE:SLE-11-SP1:Update/bluez-hcidump/bluez-hcidump.spec:Version:        1.42
Comment 9 Al Cho 2019-04-25 09:51:13 UTC 
sr: 191318 (SLE-12)
sr: 191319 (SLE-12-SP2)
sr: 191321 (SLE-15)
Comment 11 Swamp Workflow Management 2019-05-24 19:09:48 UTC 
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171,1015173
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bluez-5.13-5.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bluez-5.13-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-05-24 19:19:31 UTC 
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-05-30 10:18:45 UTC 
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
openSUSE Leap 15.1 (src):    bluez-5.48-lp151.8.3.1
openSUSE Leap 15.0 (src):    bluez-5.48-lp150.4.13.1
Comment 14 Alexandre Makoto Tanno 2019-09-26 14:15:34 UTC 
This bug was not fixed by the update according to the output bellow:

  Before:
  -------

      sles15:/work/bluez # valgrind hcidump -a -r cve-9797.poc.dec 
      ==29462== Memcheck, a memory error detector
      ==29462== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
      ==29462== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
      ==29462== Command: hcidump -a -r cve-9797.poc.dec
      ==29462== 
      HCI sniffer - Bluetooth packet analyzer ver 5.48
      ==29462== Syscall param read(buf) points to unaddressable byte(s)
      ==29462==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==29462==    by 0x10F5AD: ??? (in /usr/bin/hcidump)
      ==29462==    by 0x10F32D: ??? (in /usr/bin/hcidump)
      ==29462==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29462==  Address 0x51f4abc is 0 bytes after a block of size 1,500 alloc'd
      ==29462==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==29462==    by 0x10F0B8: ??? (in /usr/bin/hcidump)
      ==29462==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==29462== 
      ==29462== 
      ==29462== HEAP SUMMARY:
      ==29462==     in use at exit: 17 bytes in 1 blocks
      ==29462==   total heap usage: 3 allocs, 2 frees, 2,541 bytes allocated
      ==29462== 
      ==29462== LEAK SUMMARY:
      ==29462==    definitely lost: 0 bytes in 0 blocks
      ==29462==    indirectly lost: 0 bytes in 0 blocks
      ==29462==      possibly lost: 0 bytes in 0 blocks
      ==29462==    still reachable: 17 bytes in 1 blocks
      ==29462==         suppressed: 0 bytes in 0 blocks
      ==29462== Rerun with --leak-check=full to see details of leaked memory
      ==29462== 
      ==29462== For counts of detected and suppressed errors, rerun with: -v
      ==29462== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

  After:
  ------

      sles15:/work/bluez # valgrind hcidump -a -r cve-9797.poc.dec
      ==23716== Memcheck, a memory error detector
      ==23716== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
      ==23716== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
      ==23716== Command: hcidump -a -r cve-9797.poc.dec
      ==23716== 
      HCI sniffer - Bluetooth packet analyzer ver 5.48
      ==23716== Syscall param read(buf) points to unaddressable byte(s)
      ==23716==    at 0x4F23C61: read (in /lib64/libc-2.26.so)
      ==23716==    by 0x10F84D: ??? (in /usr/bin/hcidump)
      ==23716==    by 0x10F33D: ??? (in /usr/bin/hcidump)
      ==23716==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==23716==  Address 0x51f4abc is 0 bytes after a block of size 1,500 alloc'd
      ==23716==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==23716==    by 0x10F0C8: ??? (in /usr/bin/hcidump)
      ==23716==    by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so)
      ==23716== 
      ==23716== 
      ==23716== HEAP SUMMARY:
      ==23716==     in use at exit: 17 bytes in 1 blocks
      ==23716==   total heap usage: 3 allocs, 2 frees, 2,541 bytes allocated
      ==23716== 
      ==23716== LEAK SUMMARY:
      ==23716==    definitely lost: 0 bytes in 0 blocks
      ==23716==    indirectly lost: 0 bytes in 0 blocks
      ==23716==      possibly lost: 0 bytes in 0 blocks
      ==23716==    still reachable: 17 bytes in 1 blocks
      ==23716==         suppressed: 0 bytes in 0 blocks
      ==23716== Rerun with --leak-check=full to see details of leaked memory
      ==23716== 
      ==23716== For counts of detected and suppressed errors, rerun with: -v
      ==23716== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Comment 17 Swamp Workflow Management 2019-10-18 19:22:57 UTC 
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013708,1013712,1013893,1015171
CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    bluez-5.48-5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bluez-5.48-5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Alexandros Toptsoglou 2020-04-24 14:56:29 UTC 
Done