Summary
The function smp_error in subsys/bluetooth/host/smp.c
does not check if smp->chan.chan.conn is 0 or not and it will
lead to NULL pointer dereference.
A malicious BLE device can send a specific order of packet
sequence to cause a DoS attack on the victim BLE device
Description
The process triggered by the vulnerability is illustrated above.
Assuming LE Secure Connections (Just Works) is used to
establish a connection, and the Controller does not support
ECC (BT_TINYCRYPT_ECC=1).
- When the Peripheral receives the Paring public key
command, it executes
bt_long_wq_submit(&ecc_work) , allowing the worker
to execute emulate_le_generate_dhkey to compute
the DHKey.
- The Central sends a Paring DHKey Check packet
containing incorrect Ea, causing DHKey checks to fail
when verifying DHKey Check from Central (In step 4).
- Central sends an LL_TERMINATE_IND right after step 2,
triggering the Peripheral's host to execute
hci_disconn_complete_prio and
hci_disconn_complete , causing hci_tx_thread to
execute conn_cleanup to clear the connection. During
the connection cleanup process, it will execute
deferred_work -> bt_l2cap_disconnected ->
bt_l2cap_chan_del .In this step, smp->chan->chan- >conn is set to NULL in bt_l2cap_chan_del , resulting
in a crash in step 5.
- After computing the DHKey, bt_smp_dhkey_ready ->
smp_dhkey_ready -> compute_and_check_and_send_periph_dhcheck are
executed to perform DHKey Check verification, which
fails.
- Since the verification failure triggers smp_error ,
eventually bt_conn_send_cb is executed, and the conn
accessed here originates from smp->chan->chan->conn
which is NULL , causing a crash when accessing conn->state .
Due to scheduling constraints, the triggering of this
vulnerability is random.
Patches
main: #71030
For more information
If you have any questions or comments about this advisory:
embargo: 2024-07-01
Credits
Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS,
Security and Systems Lab.
xiaobye-ctf Reporter
Summary
The function smp_error in subsys/bluetooth/host/smp.c
does not check if smp->chan.chan.conn is 0 or not and it will
lead to NULL pointer dereference.
A malicious BLE device can send a specific order of packet
sequence to cause a DoS attack on the victim BLE device
Description
The process triggered by the vulnerability is illustrated above.
Assuming LE Secure Connections (Just Works) is used to
establish a connection, and the Controller does not support
ECC (BT_TINYCRYPT_ECC=1).
command, it executes
bt_long_wq_submit(&ecc_work) , allowing the worker
to execute emulate_le_generate_dhkey to compute
the DHKey.
containing incorrect Ea, causing DHKey checks to fail
when verifying DHKey Check from Central (In step 4).
triggering the Peripheral's host to execute
hci_disconn_complete_prio and
hci_disconn_complete , causing hci_tx_thread to
execute conn_cleanup to clear the connection. During
the connection cleanup process, it will execute
deferred_work -> bt_l2cap_disconnected ->
bt_l2cap_chan_del .In this step, smp->chan->chan- >conn is set to NULL in bt_l2cap_chan_del , resulting
in a crash in step 5.
smp_dhkey_ready -> compute_and_check_and_send_periph_dhcheck are
executed to perform DHKey Check verification, which
fails.
eventually bt_conn_send_cb is executed, and the conn
accessed here originates from smp->chan->chan->conn
which is NULL , causing a crash when accessing conn->state .
Due to scheduling constraints, the triggering of this
vulnerability is random.
Patches
main: #71030
For more information
If you have any questions or comments about this advisory:
embargo: 2024-07-01
Credits
Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS,
Security and Systems Lab.