Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3560203pxb; Mon, 24 Jan 2022 12:13:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRxlbHghrS9C11slL2pBPelW2aFNGt2u2n0P/X1WZfLtCvmDd0ClC8GhyAIL0hLBZi21fK X-Received: by 2002:a63:b00c:: with SMTP id h12mr12922196pgf.80.1643055219921; Mon, 24 Jan 2022 12:13:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643055219; cv=none; d=google.com; s=arc-20160816; b=pXAw565mSlfkjMXwAfQ/coq5s/Q7SRwodOcrVJbXUBipO6u6Ej6F90UTPZGWG2yuHi CLDI+HyF3ejwpZfKJPyO65UtIDJo/kyidAkrKoBn4DjT0P5McuyEnNSdbwXEqL1xLm7w MiXPSs3F8cpaeNYyGwMNZ7o5cT60Bl7yadMcTJLOhLvacxu3I4QRZr9ae7ebGj+axLBq YfIsMApuUUoa+LUedO4YQDFGe84pzs3MaTGurfDClk4MnAlN5w6m2xFe7Jn/zb3duSLz raxC8yxkbJIQxXRI6AwcJ6Ki142YhQrmPtrmgtjTkKncdJ4mdCYx4EPh5aGl1TRf25HO 8OWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2P8e4ErFNfygkLkwCmOXoyE3ooqqJEEph1stW39ZyxU=; b=tp3JwEDuFoIV0WEXi8TDVghUcLl0cRXaJpfPop7rl1Q2L86nId7Qi1I5ysdYuE/b5Q oJ6rygXdKuWOViUrfNrF4dGco2x1KEN0voUtuQRdI8R+slQFBjQbtnYb6lgLe5ajzGU9 DFQoI310lHRuzRxbUz7VzrtaJWCHNPkQ7+mXVYrsBENAMTgmG1YqAiC5nZyAzXIqb1LX eeLBKp6mAeKaIZdrn+BOZAojvmAdaFGyBPY+HhybK8Hk2FT6GSWuP5kmunCwjYJJzLMF 9ds9tcFIqBCmJfbTY8SDSCkRuuMCaUlg8LIQNON9cEn46roK/KbGM3OA1MvcrCSA+9/t 56TA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="w/6Gk6ok"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p17si1461353pla.298.2022.01.24.12.13.26; Mon, 24 Jan 2022 12:13:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="w/6Gk6ok"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348095AbiAXTOw (ORCPT + 99 others); Mon, 24 Jan 2022 14:14:52 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:32904 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344554AbiAXTFh (ORCPT ); Mon, 24 Jan 2022 14:05:37 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B4C68B8122F; Mon, 24 Jan 2022 19:05:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E992EC340E5; Mon, 24 Jan 2022 19:05:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643051134; bh=nmjZSEe7ziaN378FuR/msL8ZIqf1i8BMls2oqwT16d4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w/6Gk6okjnVlB2acgNyIlzl3WEPmxPSq450s65c+qescYquB02aM6lOMMKOtq342a vRnEA87kmdD/KVqXzo8uCMpQF8ENE/nE3Y5WVA3OznhLSe1ybO8xHkIhWcEIcDwblp 8BScHwRVfXOG2y28BuKUiZd/dRqrRvPBGXxcKx7I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 4.14 038/186] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:41:53 +0100 Message-Id: <20220124183938.352879074@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183937.101330125@linuxfoundation.org> References: <20220124183937.101330125@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 5186f199d892c..eca596a56f46b 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4967,7 +4967,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -4977,6 +4978,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1