Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3572902pxb; Mon, 24 Jan 2022 12:32:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyL7sGzuJMNxhOI/XXfBe6FqtafxNl16tRXV5TdNp2fx6Aw7y/xwVe90SHl51nD9eL9wbn8 X-Received: by 2002:a17:902:9b8c:b0:148:9c40:690c with SMTP id y12-20020a1709029b8c00b001489c40690cmr16180312plp.8.1643056344658; Mon, 24 Jan 2022 12:32:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643056344; cv=none; d=google.com; s=arc-20160816; b=uqGwKrI6QCfJ0nEUTc7LvFIuTfBDeEStXc3QasqHm7JfxYLC888R6JqzyG3QzPhVuA ibMx6qKrO3ys/tvARMJQV1zNlyc5FuU2Rgay2qyZolloaYn0h5snV7qsmRS72TdaVynO Vh4UJZ9lfnf9mmHO1EVrcIIz4RkPYsXM9/33x+ihvKIoX+ImA0tJ8SEfiolYy9Ef6b5h sg8lpu+2mtR7vEUzY44eyzO3eJJXydqNKbH9A8SVoCw+lvfUi4wF9F3xcTUxgwcrALrg 6tC6hXRk1xiXU3qPl98I140v4EthjGOIqOre9CKKsPgYNSsJTIOgRC7p2A1JMKuAhQej 03aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OX0Gh0m33GZK7U7HUSl+e+Za9itZm2avX9cLDphdA+I=; b=DBGK5rWtBKtlHVHi3fhnKgwegJoRz6ZGwUW6iv9sRj5T2DNah15z64/3XeVeLnPRSz wrPBEqFMewTmdeKog8dEQZgBWmbOKaTcJA39mC5oT30h04HotPJV1B2oFgt7seVvvW8P QycKckwHO2HHwDYpbPsN7cE+y/zYSx2SCvL7iU5fPK1ebRVlupkPKYeKlCigpJajXvNK 2M1g+NkGKYD1dSA+mbCzsVWZHIxPpBuVRO6CxqHFuNYSrtWx+bkB6Pun/9dmHMJDc9jk Snw5xAdZQXTmDfVePdEKGvxz/VOUYKvsXcJhHvhYCxhBV5GhFFreTNUI52TSi8PrezIc zh/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=afObzakX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e20si7476183pfv.362.2022.01.24.12.32.05; Mon, 24 Jan 2022 12:32:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=afObzakX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353618AbiAXTfD (ORCPT + 99 others); Mon, 24 Jan 2022 14:35:03 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:54470 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351341AbiAXT0s (ORCPT ); Mon, 24 Jan 2022 14:26:48 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 315C261490; Mon, 24 Jan 2022 19:26:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15805C340E7; Mon, 24 Jan 2022 19:26:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643052407; bh=GPFW5CjYuPUZgOYdRtErkjhYGlNzp0ODw02p11efQ5w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=afObzakXOuB4FKwkq54W/aLfEOSaVLiQ71vR5y3IGr55CRPX0o1V4VkryhJRJfrV8 ka4EVGyrgXPDQS/i9RDXmdlGUvEPAPZuIb5rNiRJxAfycvMLrP05IqWvaQFZsQPkOA RIFQqnBP+txhzUbO+rxlb2blEpK86kLJDHvWSjE0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 5.4 048/320] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:40:32 +0100 Message-Id: <20220124183955.376929250@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 31469ff084cd3..40f1593651e84 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5506,7 +5506,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -5516,6 +5517,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1