Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3548579pxb; Mon, 24 Jan 2022 11:58:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJykdGNV9/ZJMX1D9kRbmyk/mniBIHySwLX2uoLbeXt6nTPaHM48umz/OyB7GO/GJwxlDAwI X-Received: by 2002:a63:3f0a:: with SMTP id m10mr12802517pga.315.1643054246754; Mon, 24 Jan 2022 11:57:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643054246; cv=none; d=google.com; s=arc-20160816; b=irsF+LCKIr+kabtW2NeWwM5CtSkoB4LOdmNcsBi9kL3Wa4owh72tzpzB38voTpKOwt UB5IKU45nAx6H4/zVJxP+kRXejqGrQqk0cKUkmXh3j1WVIByhINOih+ONb6Fw6HsnGsk proSAZA3VmRkxitMmf3Zd0wjN2f92QLMsusr1z+TxHcPV9Sudx9utB2ZV35J0gwZ6v0P vh+DOiY5YGcVdpajL4TADm2yne5cgCraYHmUXqzBU05nudhqg1T9eQcuZmcAxkh3z8CP MNMmyB+jgXVPguBM18n6x3CiQxxb5Rx8Q4Z5TIScnxUf8pb1C1z69XwR+jUO6I3UFBIN 0BrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=S6QpCWvMGpEs18kcM/zU+qokqlWWHdMZdh0ME/FWDl4=; b=WtV+hdUp0WZWNTG6pqcIZ4RbY+PBJ4kWqBHfoouvwxYjSk7VcsVDszNa5tAMX0C4os mOV6tEoF5F63LvuJwvPfN7i0POixjHvvKtNcjoXHEZZmKe/GoIXvweQ7bLNBBSOcdKCC 6jb5Vd3ItttNXqGeU36OyAVjLZ3eLsjZMhG+FJPF8+rx6sTUzNR0fxTXGpkNAgFIxuy4 jZwiyhCafngCzaFW5QVlDnEMNM2iHDzRL6kurUIaSNSdjrcqLoxnvAs6D0cxa2QjUwid DBde2VgLBNPcdC8saUHXzzvf4LIMfox2nHXa8owVMWEGv0bmyJO/JWWNecZcsAkopDIQ gt6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2j4K1PD9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q70si3014522pgq.226.2022.01.24.11.57.13; Mon, 24 Jan 2022 11:57:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2j4K1PD9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245432AbiAXSvz (ORCPT + 99 others); Mon, 24 Jan 2022 13:51:55 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:49418 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236174AbiAXSuk (ORCPT ); Mon, 24 Jan 2022 13:50:40 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E9F5F614C9; Mon, 24 Jan 2022 18:50:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC23EC340E5; Mon, 24 Jan 2022 18:50:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643050239; bh=bXxs5pp4y2DzjUk7vXFOB+RzFrdzy657g1Ih/Gk3cYA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2j4K1PD9kwkxTmCjxqQZ2UShuwWKIpRkNcYUmsQvg1PSM+EfjM+LEaPjz3w3z0yp8 KTcBIrifsFqE0d48KTY9gZ7sIyFJjlfznws+rZ4JH3AbkJtQdzED8D9xaJv3dnzTd4 /sUdoRg8jdBpWyBvUd4pszetauqzCNFuexsGerQc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 4.4 021/114] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:41:56 +0100 Message-Id: <20220124183927.780532909@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183927.095545464@linuxfoundation.org> References: <20220124183927.095545464@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 6528ecc3a3bc5..05ccd2bcd9e46 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4940,7 +4940,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -4950,6 +4951,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1