Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp702427ybt; Fri, 10 Jul 2020 10:09:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzO5iK4NcI8nwS59p82aegK6s8LQRfiSP2WvYBKvt2QHDxbdSPdLHZ/BNQ6r1tsn6ZtyQev X-Received: by 2002:aa7:c657:: with SMTP id z23mr70383895edr.265.1594400972683; Fri, 10 Jul 2020 10:09:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594400972; cv=none; d=google.com; s=arc-20160816; b=Dab1jTW2vsR80g22aNSWeilWgoYpw0qOrTD6gsGkVM0q3M1ju0FSJyFe0bZowrS2mX ERon9SWbNCN8ftlMioHIQoV033vyl5ccxFclmTFIwwMR7G4dJZX51MB9eGLvxRVLjw9j qAVFVjO2aLdceeViTttbiStE6hh0j1RJOtFzq+flTFDp0ICRO6kUk1tvq18ZItv03lOP 5WAPYSkL0oNknbN+EDgRmTXcYbA3JIcU9Pmzn+cUo60/BzJAIlGDzdKfkDCOnC23Mbvd rtW9E4cm+Puguw6jF1wMEZeLqh2l9rgjlwMATfsAH3AE6p2+eznOfUowBY8z5qSoHLjX ae0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=48ZbONGBLXsBIgFAeRO9G6ESFzvvaXqPxQumPOeJbTM=; b=DX3+Mx75QysXMprnAD2UyiCRDgVzvs1QbGzWccMY3ZlnRj2i5mdh3yWUtlQSeS+JSR n+Q+9wRlKF2/+YazNvYDy2xuIJjiLZpRP5nVDYvMpp3Lhu50NfJJ82PKm1DIulM1Vezc dJ3vgxozwia78+Vp6TkDpvSM1xwdiNO4rYnLV7G9OU8H7OMwDEWYOhLWcBDoeMgbPoU0 m4/AK9k+WirpNzPTCatujijwTz5K4rQzUboT0kg69poPY4Bex5S5TOGvxk2IYo4h8THh qHGDJ+hPO46sr9wPXsTfL7hccamgViKjxPNhH2aACfw0iTkht9l/n0hMQcdefz2aLgH8 6IFQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bs10si4337923edb.548.2020.07.10.10.09.09; Fri, 10 Jul 2020 10:09:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727866AbgGJRIx convert rfc822-to-8bit (ORCPT + 99 others); Fri, 10 Jul 2020 13:08:53 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:42254 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726496AbgGJRIx (ORCPT ); Fri, 10 Jul 2020 13:08:53 -0400 Received: from marcel-macbook.fritz.box (p5b3d2638.dip0.t-ipconnect.de [91.61.38.56]) by mail.holtmann.org (Postfix) with ESMTPSA id B137CCED26; Fri, 10 Jul 2020 19:18:48 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: [Linux-kernel-mentees] [PATCH v3] net/bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() From: Marcel Holtmann In-Reply-To: <20200710160915.228980-1-yepeilin.cs@gmail.com> Date: Fri, 10 Jul 2020 19:08:51 +0200 Cc: Johan Hedberg , "David S. Miller" , Jakub Kicinski , Russell King , Greg Kroah-Hartman , Bluetooth Kernel Mailing List , "open list:NETWORKING [GENERAL]" , syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: <43E6945B-1FFE-4283-9F1B-E84AFDCB528F@holtmann.org> References: <20200709130224.214204-1-yepeilin.cs@gmail.com> <20200710160915.228980-1-yepeilin.cs@gmail.com> To: Peilin Ye X-Mailer: Apple Mail (2.3608.80.23.2.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Peilin, > Check upon `num_rsp` is insufficient. A malformed event packet with a > large `num_rsp` number makes hci_extended_inquiry_result_evt() go out > of bounds. Fix it. > > This patch fixes the following syzbot bug: > > https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 > > Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com > Cc: stable@vger.kernel.org > Signed-off-by: Peilin Ye > --- > Change in v3: > - Minimum `skb->len` requirement was 1 byte inaccurate since `info` > starts from `skb->data + 1`. Fix it. > > Changes in v2: > - Use `skb->len` instead of `skb->truesize` as the length limit. > - Leave `num_rsp` as of type `int`. > > net/bluetooth/hci_event.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) patch has been applied to bluetooth-next tree. Regards Marcel