Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4406716pxa;
        Mon, 10 Aug 2020 08:22:46 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwvYQpsfcm1Hd4SvLYeIOhpPFhqzNdT/R0BJ4TVmu0V0Kf8nIZivcwOQ1rZcA0DfKaExgP8
X-Received: by 2002:a17:906:1f8b:: with SMTP id t11mr22684986ejr.32.1597072966554;
        Mon, 10 Aug 2020 08:22:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597072966; cv=none;
        d=google.com; s=arc-20160816;
        b=zRc7BSyOD2r+5eL/m8r7Uzh4Fs8TMlzc3iQ4uufkuQdXXrKX66weXdHBQCm5iSoGX1
         +a9OGYd6yyiVC0fSlhHLn2MAi6j2JbGh8orNtKVW8KR9f4Gtxn1mubbCzkdnL5D5fvEF
         sac5Xm8qaBW+tJeMH1qXw40A4j0QJ5LHqtSZTCCxOEk6u2VFwDSMGzstK8yEqjNRZWXi
         wZD7NOd8ooFfYcpdfQwglaQK+pgZL7vac+DwFfJ/da2uoKFwUwBr+Qkz/ATadRLuuxUY
         LDFoL2K6gaW/b1UXYFjug34QQ33Bi7UOL5LtQQZ8K7GDiL4fFu1/PVs0q12wY0a05UPF
         HaYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=BvPxytScdALijG52GBQoPHxSVEP8JhlcoJEYTzRLP3o=;
        b=fwvfaUoC1Pbmd4h090dHGZVWsq+D1t11im8vUT8HxaYSb954w9796Y6oBqPJzE3mg/
         3fpoez2+IZFno9qEErClkujY8FyUfn3/fBwOzHm82Fihk3v6kIu+UY07GivWg6HbypXZ
         3ve8VEAfN6A1UZ2tCGr3qpbrOq0sjLW5IcG0T7MBKU6WESYFDLAvAFbvU9YGfHaOmKFZ
         4MD659V5z294SwosdFZa3y4vpK0CIDTwuQO/Z2tawvcuCpoYHP7i63JKPXkhd3yaNFji
         M4wjNMjRRMptqhkPmA7+PrQk0RfgjXxIu29rNkS14q8eEmjMV41qG90ca2ap1PpIoSNj
         w9tA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="pjHCx/EL";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z14si10711270eji.684.2020.08.10.08.22.24;
        Mon, 10 Aug 2020 08:22:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="pjHCx/EL";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728175AbgHJPVQ (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Mon, 10 Aug 2020 11:21:16 -0400
Received: from mail.kernel.org ([198.145.29.99]:51960 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728150AbgHJPVK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Aug 2020 11:21:10 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 66E712065D;
        Mon, 10 Aug 2020 15:21:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1597072870;
        bh=AHMq8wBLEzqNtjrtty1SYheHzrNvr5w95CEMtXa8YW4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=pjHCx/EL5Bym6AG9ffoN+EKaD+WEvRf2E2CY4gashTI3C/2zcJRvKr2nTn1izQUtW
         zRpRZthKvT4AJk7GzF71UavCyvTTo65TzhoNmPViGUNw8fjHYO+zKWt9kNUIuxFdT8
         vgy0NjB4F/wXZchvvYAk2D8ey+DV315i5HOH3PZQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Peilin Ye <yepeilin.cs@gmail.com>,
        Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 5.8 17/38] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
Date:   Mon, 10 Aug 2020 17:19:07 +0200
Message-Id: <20200810151804.739117891@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200810151803.920113428@linuxfoundation.org>
References: <20200810151803.920113428@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Peilin Ye <yepeilin.cs@gmail.com>

commit 629b49c848ee71244203934347bd7730b0ddee8d upstream.

Check `num_rsp` before using it as for-loop counter. Add `unlock` label.

Cc: stable@vger.kernel.org
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/hci_event.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4166,6 +4166,9 @@ static void hci_inquiry_result_with_rssi
 		struct inquiry_info_with_rssi_and_pscan_mode *info;
 		info = (void *) (skb->data + 1);
 
+		if (skb->len < num_rsp * sizeof(*info) + 1)
+			goto unlock;
+
 		for (; num_rsp; num_rsp--, info++) {
 			u32 flags;
 
@@ -4187,6 +4190,9 @@ static void hci_inquiry_result_with_rssi
 	} else {
 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
 
+		if (skb->len < num_rsp * sizeof(*info) + 1)
+			goto unlock;
+
 		for (; num_rsp; num_rsp--, info++) {
 			u32 flags;
 
@@ -4207,6 +4213,7 @@ static void hci_inquiry_result_with_rssi
 		}
 	}
 
+unlock:
 	hci_dev_unlock(hdev);
 }