- Found by Jiska and reported on October 29 2019 to Cypress.
- No new WICED Studio version since then, so probably unpatched, but only one evaluation board vulnerable.
Within classic Bluetooth, Asynchronous Connection-Less (ACL) mode is used for data transfer, such as tethering or music streaming. Similar to Host Controller Interface (HCI) commands and events, it is sent to the host using UART, but with a different data prefix in the H4 protocol.
Upon driver initialization by the operating system, the Bluetooth chip signals the maximum packet and
buffer size using the HCI_Read_Buffer_Size command (see p. 795, BT 5.2 Spec). Broadcom chips are configured for
an ACL length of 1021 bytes and 8 packets. If this buffer is exceeded, this causes a
heap overflow. It is important to note that this overflow cannot be exploited without bypassing the driver
and operating system Bluetooth stack, which requires privileged access either way.
Yet, on the CYW20735 chip only, there is a buffer misconfiguration, which makes ACL exploitable.
The global variables BT_ACL_HOST_TO_DEVICE_DEFAULT_SIZE and BT_ACL_DEVICE_TO_HOST_DEFAULT_SIZE
are set to 384 bytes, while
the chip still signals a size of 1021 bytes to the host. Thus, just setting up a regular headset for
audio streaming as a user immediately results in a heap overflow. As the misconfiguration affects both
directions, the heap overflow can also be triggered over-the-air by sending a few L2Ping
packets exceeding 384 byte. When reconfiguring the buffer size in WICED Studio 6.4,
this hard-bricks the evaluation board, likely because of insufficient memory and
automatically reloading the firmware image internally.
This vulnerability stopped us from further ACL fuzzing with the emulated CYW20735 firmware. It is impossible to take a snapshot during music streaming or tethering before the firmware crashes. However, the CYW20819 firmware does not have this issue.