Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5642303img; Wed, 27 Mar 2019 12:16:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqzWOWsjjLVAaAvSqEhrLdrdowUkUcZcgLvmV1OGs529IptffIYI93ky9H40ecYRvH1WGate X-Received: by 2002:a63:6ac1:: with SMTP id f184mr17045382pgc.25.1553714213650; Wed, 27 Mar 2019 12:16:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553714213; cv=none; d=google.com; s=arc-20160816; b=kKsJvt1+0Vvv+XjjNBylmOx4NlJ2synIHdij6+PKjrvSl5qqNicdY20JQufLuvVF+n bqfy4UDl4iapP2S+e5cgrf2x2pFp8HK8jaTM1OI/e/N6HZaONQjduNM66eHlfPx4pf/j BYHwOJou6dRTEQfLlqXLRAGOIVyex48Ssy03UDwqGEnocHESg47oszs9i27nerK7K2Nv 24ybSksaGrxN5EPD04iKE+AnDBPxEZOPH3eqpYCrOiMV6NGMSLsVcZJF+wNRDQNyoQrg 21/DsXkFmf7c+q4WQiHRpPuvOaZj5kmIdn/m8KRjdjHjq2pbVY7IImq4j/7DoYV9P/QC VEvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=H92uZl1AD0vfKxRYvrcH/54UgDa5lYvZaTzMjYRa47g=; b=EIPF/lJpFpX+R1oTNCCEMSNvz/ENJ9CyRpgsKA1iB39hrnz2o1jVeUpJXJDHr8NNpT xBeigqLstpKLvD6ylTfRug3Q5ZojhLdmNQgkFI2CI7TbRDurS7ciS8PbtqYbIhKpUu0W vfeKE9a7GGGfHGMeDLIKF3Iwg/V0Am4qomiECShVyIIWatRiq4r+oJYv4oTG50egsVFn CzQ4cv2U90wFtMd19FSmIgGt4zeORpqOQAGNaCwqYRvJ/VA8Kth3MX+bWR1YtFAoWux4 fRTM3ZN6Bk1f103OURwC47+W7YKtxuZxiRqQtv8YRKTdSxm2JILhxMbNrycigbR2YBq1 yiIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QEKZLxdl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m1si19940422plt.28.2019.03.27.12.16.38; Wed, 27 Mar 2019 12:16:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QEKZLxdl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389003AbfC0TQF (ORCPT + 99 others); Wed, 27 Mar 2019 15:16:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:51030 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729844AbfC0SJO (ORCPT ); Wed, 27 Mar 2019 14:09:14 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D90B217D9; Wed, 27 Mar 2019 18:09:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553710153; bh=OdiFIfLi8e5mOiWl5Vjzu/P2pPQjYFvI1PcfPlielXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QEKZLxdliHO8hY3heSiWBZ8HXYYvNoZmo4yVwOj7ol4BvmdM4Uc6w32XfEpxJBSAQ zpwf9VAnl0dPm1YkDOaHriOwly8PRkd+goEsqj2FN3pQT2Y5QLtIboXtHP63Q7tvK3 hcKcw4yhTBURlqijVGSERavrZ30IjoMzQbKpfHJQ= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Marcel Holtmann , Johan Hedberg , Sasha Levin , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.0 221/262] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Date: Wed, 27 Mar 2019 14:01:16 -0400 Message-Id: <20190327180158.10245-221-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190327180158.10245-1-sashal@kernel.org> References: <20190327180158.10245-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marcel Holtmann [ Upstream commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 ] The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len as length value. The opt->len however is in control over the remote user and can be used by an attacker to gain access beyond the bounds of the actual packet. To prevent any potential leak of heap memory, it is enough to check that the resulting len calculation after calling l2cap_get_conf_opt is not below zero. A well formed packet will always return >= 0 here and will end with the length value being zero after the last option has been parsed. In case of malformed packets messing with the opt->len field the length value will become negative. If that is the case, then just abort and ignore the option. In case an attacker uses a too short opt->len value, then garbage will be parsed, but that is protected by the unknown option handling and also the option parameter size checks. Signed-off-by: Marcel Holtmann Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin --- net/bluetooth/l2cap_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 2a7fb517d460..f8b3d2a81a44 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3337,6 +3337,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&req, &type, &olen, &val); + if (len < 0) + break; hint = type & L2CAP_CONF_HINT; type &= L2CAP_CONF_MASK; @@ -3548,6 +3550,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_MTU: @@ -3728,6 +3732,8 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_RFC: -- 2.19.1