Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp37441imb; Thu, 28 Feb 2019 15:13:48 -0800 (PST) X-Google-Smtp-Source: APXvYqwvLhJgfiC7u3m+pVeRIAJ5c3bIXpkT99lpKEfRpqVo5TM4uMj3Sw8oTQ5vfbu6ffPiJnQ9 X-Received: by 2002:a17:902:1:: with SMTP id 1mr1922635pla.276.1551395628432; Thu, 28 Feb 2019 15:13:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551395628; cv=none; d=google.com; s=arc-20160816; b=DmBHPyWVsMOZae+vJaxq9nXEBVq4X53HsCVrscBS+dFQanIPsOrLuzPraDw1tUiW2o Zs83BBCH6bryl444V+2+3BtpC8UI6Skab1Cx/Oa8WCtNQgAD1vhdcoassL2+xsKRuzBX bxABXKN/t3WeMUD7GIit6kKD+lUc+zDi5GdLDgFLSl4h3xTVsqncUFxWrSGNJyV0PoeU f3j0IhSL01bDpxF+gmn+evFNlh8bQSZFNApJxps/7mL+RzPbZJl70cK9gadaY/0nDpuP 0q+wukVBgZpUMcoa3hHkvJJp/c1Ea+T00FWmBM0S1LlLzPz/Xv1ChxpfCqUNQQQAzg3w AyoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=P5d0IpC9+OQBZ06GUKeAyQaVv2n5VwfxrOk9sixHGqU=; b=RnbpEgigfDIIg8lyvob0UUU+ZtCiDaxhUbjgVYNzOj0Ndro5Uu1CuSemE/1CxP27KH sSDLgcLshVpjKEfWUNmBMxJf5BNMy94AwcAlpEbUoZrLSjd7/IeMPpS2yDzipcccGYKw KD3739GDM9LtIPrxZu/1rIEMhzsYqPg88MThlRlqArJ3itsI6DoORU2EZrK2a2Zkz/kA 3zKhnc7V5RP3xtoe7hlzaDWTETQvL8k7mxldWg9dt5Z+3G+6kff5A5uxJcMwp+6ThDUf ZadvKEyAHwBVcjdf10N3PZduyyCvAYxcEFWd5caBhUU5g/QngvzSeDAZkTThE/+xaXNY Kx0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sJU1fydQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 97si8733516ple.392.2019.02.28.15.13.33; Thu, 28 Feb 2019 15:13:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sJU1fydQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388130AbfB1UAJ (ORCPT + 99 others); Thu, 28 Feb 2019 15:00:09 -0500 Received: from mail-ed1-f65.google.com ([209.85.208.65]:39226 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726231AbfB1UAJ (ORCPT ); Thu, 28 Feb 2019 15:00:09 -0500 Received: by mail-ed1-f65.google.com with SMTP id p27so18055272edc.6; Thu, 28 Feb 2019 12:00:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=P5d0IpC9+OQBZ06GUKeAyQaVv2n5VwfxrOk9sixHGqU=; b=sJU1fydQkoQZM04SXg/BtMFnBqkRmYRczKTqJ2EGbtlUv3NIcA3eiI7IKjs2rznhOu kWAVaZSM3924lCvXIAQLHsIGVrGR04MpQ0F98pDeOWKYvOzZvoozMEa1y35hFwrPMY+n RVkn2LTL8NH7AC9fiQ5XdTJRwOWw89onTuqod0VsRZxgStRaCKejt1JA2aalCgwhS+gq 7qQkNLCYsrLKK7SA86/2hVKjf2WD1V0nAZVX+iacIUMR8vPtyoaYyeXFg73VaO0zhnnn V1sXuR00sY6CW1ClXdvdKH7qcWi0fjXFY/CznnMZ/pzwWZqLjN819vowq1ZhuDYuqLKl vUjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=P5d0IpC9+OQBZ06GUKeAyQaVv2n5VwfxrOk9sixHGqU=; b=ISi0rmffyh4JMLMYbXpcnD3hVKcrCslgRKfAq18+JKGPT5ScizzGDLESNa25N+cyt3 TW5hX1udiMtmxITXP2QJimQvXnfoL7Bk2QuV/HA0F94UjoOvpJwu8d4VP9Vltn9XfmGF ZsRGskx08sq4JbYu9P0xAsT7ND0jnvkGvJ8FihgwoNVsV8/Ry1afWsmp/m3+NXXm+nau 9xdzEnMviYp8up1c/kyrVml8SjxEL+K3DBKY6BzCTK7fdEp9lrYeOuFpfkDYkyma+Io1 3KfJp+yuJyw4+9IoooieE+eMn7mQJORJxjvUyI/WuIVsjKYC6pO0eJOn9qlf4XG02D7U 1IlQ== X-Gm-Message-State: APjAAAUaTV0AxlvaBgnvYy83SltDvMyoSEZseSB4rFgFiopnu14Yj3+R +4kDfKxmetk0BZKJ+AX9DBI= X-Received: by 2002:a17:906:2643:: with SMTP id i3mr379149ejc.157.1551384007112; Thu, 28 Feb 2019 12:00:07 -0800 (PST) Received: from localhost.localdomain (xd520f248.cust.hiper.dk. [213.32.242.72]) by smtp.gmail.com with ESMTPSA id r1sm1353743eds.39.2019.02.28.12.00.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Feb 2019 12:00:06 -0800 (PST) From: Tomas Bortoli To: marcel@holtmann.org, johan.hedberg@gmail.com Cc: davem@davemloft.net, linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] net/bluetooth: Fix bound check in event handling Date: Thu, 28 Feb 2019 20:59:39 +0100 Message-Id: <20190228195939.30685-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org hci_inquiry_result_with_rssi_evt() can perform out of bound reads on skb->data as a bound check is missing. Signed-off-by: Tomas Bortoli Reported-by: syzbot+cec7a50c412a2c03f8f5@syzkaller.appspotmail.com Reported-by: syzbot+660883c56e2fa65d4497@syzkaller.appspotmail.com --- Syzkaler reports: https://syzkaller.appspot.com/bug?id=d708485af9edc3af35f3b4d554e827c6c8bf6b0f https://syzkaller.appspot.com/bug?id=3acd1155d48a5acc5d76711568b04926945a6885 net/bluetooth/hci_event.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index ac2826ce162b..aa953d23bb72 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3983,6 +3983,10 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, for (; num_rsp; num_rsp--, info++) { u32 flags; + if ((void *)(info + sizeof(info)) > + (void *)(skb->data + skb->len)) + break; + bacpy(&data.bdaddr, &info->bdaddr); data.pscan_rep_mode = info->pscan_rep_mode; data.pscan_period_mode = info->pscan_period_mode; -- 2.11.0