DragonFlyBSD Kernel Audit
← dashboard
DF-0499

Unprivileged info disclosure: read-only L2CAP node ioctls (GET_CON_LIST, GET_CHAN_LIST) lack privilege check

Summary

ng_btsocket_l2cap_raw_attach(:637-641) grants socket to any local process, caps check only sets NG_BTSOCKET_L2CAP_RAW_PRIVILEGED flag. Priv flag enforced only for SET_DEBUG, PING, GET_INFO, SET_AUTO_DISCON_TIMO. GET_CON_LIST(:850-933) returns full BD_ADDRs of every L2CAP connection copyout at :926-928. GET_CHAN_LIST returns remote addrs+PSMs of every channel copyout at :981-983. NO privilege check. Any local user enumerates active BT peers/channels of all users. Privacy/info leak. Fix: gate GET_CON_LIST/GET_CHAN_LIST on priv flag.