A local privileged escalation in bthport.sys the Windows bluetooth bus driver. The vulnerability exists in the Service Discovery Protocol (SDP). A usemode application can interact with the driver through IOCTLs that exist to add and remove service records, and query for service records. Ever service as a series of service attributes, which are made up of a 16bit ID, and an indeterminate length attribute value. A service record can have as many attributes as it wants as they are saved in a doubly-linked list without a fixed size.

The vulnerability is in the SDP’s implementation of ServiceAndAttributeSearch. As the name implies this is used to search for a service containing a specific attribute ID, if found it will return the entire service record (all attributes). To do so it first determines how large of a buffer it needs by iterating over the attributes incrementing the size for each attribute, it does so without checking for an integer overflow and as such, if a service has several large attributes, the size value can overflow. So when the applications goes to allocate a buffer it will be too small for the data that will eventually be written into the buffer.