Received: by 2002:a05:6520:4d:b0:139:a872:a4c9 with SMTP id i13csp2560105lkm; Mon, 20 Sep 2021 18:44:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxszgsfLz/juEzxAvesclojwJmBoGaBfjfwaor4RYATi6Xj9Uu28Iz1AOsPHKRQF2CgxxRk X-Received: by 2002:a17:906:774f:: with SMTP id o15mr30590377ejn.200.1632188644955; Mon, 20 Sep 2021 18:44:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188644; cv=none; d=google.com; s=arc-20160816; b=xV78cBq+UlshVEXodLG6DVXwEEILFpAY+MUhSo0bwJI6/BZ22yAN9kUMxf1MlZOWLw Tj++bJjeoxr3BT3gRIl8URvXaExbuGmBXcmIpx8z7KQviLAAkqAjuwktSQ3BlkLrPivk N83X/0VmEXPeE5y9Ts/DJkSIJEoat2PmC5OnrNic57GfdNmtWkPjMswYgGWPy60qJskk adPH4VPsnqDQQTEkX0M/UqH7uYz/T+MuaKxyHLotVIn7/ogPCIB3H4FbewegpJy9Zm1H pVoirKRZCipJdPe+Zh7Itb1TJMaK2yKeR2UdfXEbcczwSsJwIA/m2WJwUzvOlK4dLsIa K38Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=oQTjCKYdVXqNtRJ45wMW28aYkyCBgwS54B74OMWnMPQ=; b=uZWcNkJsRect9qsoKeKe8YUa5TUl3M2NawEnR5IuqttmJ5IyGm/YgQWbXTGgOfVEw3 K6sF5kcOFfKBurwHSStIltkdzYLPgXojATZ9o+fWIFiv+f+QJY6Gcz8FuY4TIYKHoU07 +Pkc5CXZWx0xpMaCJEfQaBWZ4xBm3CLa6D8gov05a9YBH89rn9Iy+b8MVWZ4qlkKpjd8 bb8zMgNQV5b4FetquIDw+IA8Kgqg/fB79G2YB2L5xqIqAUBmP/Ej2npBRqFLMZQflLnR Rtb80cNhk01PVPQ6VqlZf6vKPWhzNzAKwqrRZ20y2ShWyIZi8GL8Br72SHKuI4SIy1h7 y5Kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p7tK1s3q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i20si16041955edc.81.2021.09.20.18.43.41; Mon, 20 Sep 2021 18:44:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p7tK1s3q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243836AbhITQuu (ORCPT + 99 others); Mon, 20 Sep 2021 12:50:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:37284 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244167AbhITQtV (ORCPT ); Mon, 20 Sep 2021 12:49:21 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5C8E561268; Mon, 20 Sep 2021 16:47:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156471; bh=U0ivsL+p/Bybv6MJJLx6mOVguINXSD7DdKyoaTp+NS0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p7tK1s3q1PJIzPqxttxhrpMRkqGRPlGub8tytPPrw1iyx7jhdIbcPOTtnUwHAC4ff 2QuLgkPub86+0PfPKX9mhesYG4Yek+t1r/EDIBcBfWbo+b13Ex/FQDcphiU4F80Yom hOg1JOmza+4QVyMft+0O6+qnAmTud7ngor4RHtXY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com Subject: [PATCH 4.4 057/133] Bluetooth: add timeout sanity check to hci_inquiry Date: Mon, 20 Sep 2021 18:42:15 +0200 Message-Id: <20210920163914.519398792@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 ] Syzbot hit "task hung" bug in hci_req_sync(). The problem was in unreasonable huge inquiry timeout passed from userspace. Fix it by adding sanity check for timeout value to hci_inquiry(). Since hci_inquiry() is the only user of hci_req_sync() with user controlled timeout value, it makes sense to check timeout value in hci_inquiry() and don't touch hci_req_sync(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index bf69bfd0b475..eefaa10c74db 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1357,6 +1357,12 @@ int hci_inquiry(void __user *arg) goto done; } + /* Restrict maximum inquiry length to 60 seconds */ + if (ir.length > 60) { + err = -EINVAL; + goto done; + } + hci_dev_lock(hdev); if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { -- 2.30.2