Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1165671pxa; Thu, 20 Aug 2020 04:30:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUeuqeLTL9WMkBsbui7E2VxIShGUC4SlksqYwBM7FMJKbjiXtw2ykb+Oh5rf7I8+xqQwto X-Received: by 2002:a17:906:c8d2:: with SMTP id gc18mr2997597ejb.24.1597923046580; Thu, 20 Aug 2020 04:30:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597923046; cv=none; d=google.com; s=arc-20160816; b=dChpEJhvYTooOYC6iZroIRnMOpXGlVcjnRZjdHLtBgig0ayUg5T+6r8W5ayFdQOaeJ P5+VpGgwFcMJfUchp5QPOFc4G9p7Dm3DYG1lwNlS0mQfnGhHT++IKALHKyHaeu9Wgh3I y4LD36Gj2hzDil/Wg/gT9Dt8mZ9/vDM2i2r1ct1wOk6Lo9a3D22rWibVs29LnFEn1K6/ 2kyQ0naocMDcog1IFvOm9eZ+RbzrlRHq9fdnDtdxm99dtH/pa3hTB21FHdiLcfmo5PVP RNonu2L4KsPi9DjL63foCsGFxsieBCVWbGiq39G/Awn9HvzJq9BQXlnGfttyaUK8iVNF phDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CibLl6ZIXM5mc/jBhQXYFF1vlCIV0PIaAWeNG2i4s9c=; b=Rw0hUQ0c9OW0S6rnDDkkcAyR0QK2LxTcx4gdwfbnaFY3/wZgSN0UJTKMIJadOavCk+ wIi0Tx15PW2VQiR3ext9tqTGrTS9aR1bt334cak1FccEbztVIwFiLR20Wl+zuwaNav7u g2OYGVegyHPCYwIbEObsK2a5ur5xVaJ+iff3ehZxoM6DIkvqXDrrmjGL3Jn6qpRWhuf0 ijS0PA2uSoP9rvv6upw4AzF4+oCL862IZuLlchUGEaP3c+lDtBmr4jT03i1LCDkMnC2e tcw5umH7PhWVUDNAMtw9rGk9j5vwIL9eUJp5x/L0/MlzL84tFXrJQoCt/s1TkpZiQhH/ LbTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mFgvfcco; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qn22si1046323ejb.586.2020.08.20.04.30.22; Thu, 20 Aug 2020 04:30:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mFgvfcco; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730083AbgHTL0q (ORCPT + 99 others); Thu, 20 Aug 2020 07:26:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:34918 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728515AbgHTKGP (ORCPT ); Thu, 20 Aug 2020 06:06:15 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DA8B022B43; Thu, 20 Aug 2020 10:06:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597917975; bh=2LkuLw7hc5amWcJudiBTDsOVkeurjDE/qsPZWPVYzm4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mFgvfccokP+Ob12Stb+RXCFacKfhPgky0vMZ7XcHkV1Cd2LDCXHB2J+1Qkqy+ZaVa dvTlsfBVPrdNal4CnzEXcmTNL6tH0YXPw290hXMgZ8T6MvaBOUzAXiTrRIexQj1A2+ mCsSOnvWHiAkibIIMquW5No/JhPrmvAF6/6t/8gs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peilin Ye , Marcel Holtmann Subject: [PATCH 4.14 010/228] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() Date: Thu, 20 Aug 2020 11:19:45 +0200 Message-Id: <20200820091608.041870411@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820091607.532711107@linuxfoundation.org> References: <20200820091607.532711107@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Peilin Ye commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3623,6 +3623,9 @@ static void hci_inquiry_result_with_rssi struct inquiry_info_with_rssi_and_pscan_mode *info; info = (void *) (skb->data + 1); + if (skb->len < num_rsp * sizeof(*info) + 1) + goto unlock; + for (; num_rsp; num_rsp--, info++) { u32 flags; @@ -3644,6 +3647,9 @@ static void hci_inquiry_result_with_rssi } else { struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + if (skb->len < num_rsp * sizeof(*info) + 1) + goto unlock; + for (; num_rsp; num_rsp--, info++) { u32 flags; @@ -3664,6 +3670,7 @@ static void hci_inquiry_result_with_rssi } } +unlock: hci_dev_unlock(hdev); }