Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp491674yba; Mon, 1 Apr 2019 10:21:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqwkzO/P+zSHuHVtl4t1kXOOzofQQVukf652F+Fb+P5NVLAaB+bVnx3b/sTtTQXJtKY9Xxwq X-Received: by 2002:aa7:85cc:: with SMTP id z12mr63550051pfn.142.1554139307730; Mon, 01 Apr 2019 10:21:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554139307; cv=none; d=google.com; s=arc-20160816; b=Z4ayUqYuQETCZ6SCW6zAO/vWcuzcSl6vlo7854Nl3sj/8xROoRkFmKksi3n0MvG4pU GbG18Tl2X60yfhVl+JJfp9oM6lMyToDNn2pPIrIpfCd71fvAyYwdcfjMZwLyjIY0DR72 qr5gVEX3QFQrw/GEj2AjBvAiXoj9y2E/oWPTAk5SzeVN+MFY+AtD5V8dWORH4WCr61Ql QL1DO/561wFo/68wPifRNUTBV7ZDl5w30JZp6CY1wUZFNkLlhi69V0a5MZztZw+zG3fW voptofN6yvmJxlmUxdLLwTRjSK9J4p9f/RBFi/aXgw613MHXIFR55CDyaxicPzHjIV1s HADg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zxoH/1FzTufhud/Ii2pzXOz59WVTDGz/vU/30h8gL8w=; b=M6AZTG+sbd8kMWf5Nm4I7YYU8s3OeuXwj70PzGAsDExT8X8SIKyJwSKUnQonSYShcK XolqStCEwOHoe78juKflG1/hpEkLvXo+eQJ9pAtDSHkUDkbMa9IoWHvZICYLFUySV6ik 3pFm4tSZCeV2eXuMU+1aAHVKR0T1A2DAkG42DuPd2+txgMrrOJLdXxFE+VX9MgaYjnCc qr/e021C2VZzp7VMsYr7RTWV90KyrPyEeguyNmG1ev02q2kbwlHL40QcZdkYQuo94met LiRx4OvYKChCmGAWa53EWz0XE+sBmRnwAS7/2pDelhcWO/6anCjgbLJtkRZCoxapxOGy gudw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sp8bLTkm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m13si9219410pga.331.2019.04.01.10.21.32; Mon, 01 Apr 2019 10:21:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sp8bLTkm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731695AbfDARUu (ORCPT + 99 others); Mon, 1 Apr 2019 13:20:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:49068 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731701AbfDARUo (ORCPT ); Mon, 1 Apr 2019 13:20:44 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2C5E3206C0; Mon, 1 Apr 2019 17:20:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554139243; bh=l2VSE0H0SLebqoqohbOSG64M2HA12vluLSOngFWDfK4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sp8bLTkmgq+GaZeE/gSQVFq3yDOvSR59VoG2UntmOWI78ofDR6tgNr0Sdyx2uTd3y 36o3Zda/ZNNzqkevzashNmDapi1jbIdynl9QyOrED4jQz5PO54bMTlJk3ejcm0g7Km l+pKdR8ym2F9kq/5cK6WmqRgkUUIZrgqA6+eHhUI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marcel Holtmann , Johan Hedberg Subject: [PATCH 4.14 002/107] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Date: Mon, 1 Apr 2019 19:01:17 +0200 Message-Id: <20190401170045.488808547@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190401170045.246405031@linuxfoundation.org> References: <20190401170045.246405031@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Marcel Holtmann commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 upstream. The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len as length value. The opt->len however is in control over the remote user and can be used by an attacker to gain access beyond the bounds of the actual packet. To prevent any potential leak of heap memory, it is enough to check that the resulting len calculation after calling l2cap_get_conf_opt is not below zero. A well formed packet will always return >= 0 here and will end with the length value being zero after the last option has been parsed. In case of malformed packets messing with the opt->len field the length value will become negative. If that is the case, then just abort and ignore the option. In case an attacker uses a too short opt->len value, then garbage will be parsed, but that is protected by the unknown option handling and also the option parameter size checks. Signed-off-by: Marcel Holtmann Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hedberg Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/l2cap_core.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3336,6 +3336,8 @@ static int l2cap_parse_conf_req(struct l while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&req, &type, &olen, &val); + if (len < 0) + break; hint = type & L2CAP_CONF_HINT; type &= L2CAP_CONF_MASK; @@ -3554,6 +3556,8 @@ static int l2cap_parse_conf_rsp(struct l while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_MTU: @@ -3739,6 +3743,8 @@ static void l2cap_conf_rfc_get(struct l2 while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_RFC: