Hi! I recently discovered a stack overflow in a Bluetooth driver. Here is the commit https://github.com/torvalds/linux/commit/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b fixing the issue. You could exploit this vulnerability: With physical access, one could modify the nvram values to exploit the stack overflow. I also found in an email thread that says the OEM does not need to create this uefi variable(https://patches.linaro.org/project/linux-bluetooth/patch/20240626092801.2343844-1-kiran.k@xxxxxxxxx/). This bypasses any runtime variable lock that the firmware might have. Then user can set/create the variable from the OS and overflow the stack in the kernel. I was told that this might be outside the Linux threat model because the general consensus is that we trust the data coming from the firmware. In this case, we can set the variable from both outside and inside. Is this a security issue on Linux end? / Oliver
