Android: Stack Memory Corruption in BnBluetoothGattServer and BnBluetoothGatServerCallback IPC

[Nytro]

Android: Stack Memory Corruption in BnBluetoothGattServer and BnBluetoothGatServerCallback IPC

 

Android: Stack Memory Corruption in BnBluetoothGattServer and BnBluetoothGatServerCallback IPC
Platform: Based on current master in AOSP
Class: Elevation of Privilege

This is in pre-release code and might not actually be vulnerable on a real device. While it’s probably only available in Brillo atm there are indications that it might become the default BT stack on later versions of Android so fixing it now would be good. I’ve not been able to test it directly but I have verified the code is vulnerable by building a copy for another device. 

Summary:
The SEND_RESPONSE_TRANSACTION and SEND_NOTIFICATION_TRANSACTION IPC calls in BnBluetoothGattServer::onTransact are vulnerable to stack corruption which could allow an attacker to locally elevate privileges to the level of the bluetooth service. 

Description:
The system/bt/service/common/bluetooth/binder/IBluetoothGattServer.cpp file which is part of a new Bluetooth stack for Brillo contains a binder service which has SEND_RESPONSE_TRANSACTION and SEND_NOTIFICATION_TRANSACTION calls. The handlers for these calls have a vulnerability where it’s possible to move the stack pointer out of bounds and get selective memory corruption on the stack. Note that BnBluetoothGattServerCallback also has similar code patterns in its ON_CHARACTERISTIC_WRITE_REQUEST_TRANSACTION and ON_DESCRIPTOR_WRITE_REQUEST_TRANSACTION calls.

Link: 

https://code.google.com/p/google-security-research/issues/detail?id=712