Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3574739pxb; Mon, 24 Jan 2022 12:34:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJymqrbw7vJtmOUjr6TrN1F6blRgXcHkY7P54VA0nAoScKCDQJ8ayCUQWFz6h+Pu+smWaOW7 X-Received: by 2002:a17:90a:460f:: with SMTP id w15mr3559657pjg.123.1643056486370; Mon, 24 Jan 2022 12:34:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643056486; cv=none; d=google.com; s=arc-20160816; b=KrCzLye3xdXOMxCyEltXVPfxYdcGCSBxalJBih8pX9T3oVHuRAjXQdTdcUWCP7sR11 hPEP7ymj/mBK8J+RhHoi4yhvZfdANgQOEN++YoWd510L/EHp5IdsEMN7fpVumR5Dt90b uJzzBJgHdg/O7KbO+eZcAfwoKWk8SP9TpuY5ncX4ke8hwmM2/NdGyBmJrJNWq06KqdPe LsSSKg7V4AH3OIU/X2Q3RLLnN+1D6zgMr+5pv518+h+QPOkB3VVc48aGhVSM9UYBGyUG Nwsf0/zd9tjois5eoLH1p/WyxNltnjlODl2tgT1Zg2jUL/Uuu7kXxNBqKW0G3GMBkJIW Qwzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4ORYC6gpf4cd4WHi+bmbPF2dYgbWQvWNqhodpD7W6a8=; b=ysSQUHqcy3tmg+JZSPGMMffmGlxq0IDPFieYqbMOsF7+qDgPju84k3iccMOZP6m3LD E7VxySEQV3PDla/j0i1HcpRACWpnZAC5jU8XkkoBXsbSNy8s6VlUF4syORNGEHVPU+xU /dM/KVICwmQFgRObcHlANSfl0RNh4LjWHr9kADwCT9YoAtmanxbOHYngfxa+T+VCQfMo WRrDop8mlFDIc6OmFF3FH+u7uaswL7KB6vljnecrZ3VK4B6Iob0jPeFtBA6BvE6vZByR swxQSpZ4JlN2vF4zWY0/yUrsLHv9Fw1JhS/cIXVB7grgId9h6Ijh+QexBKGzJ2vP3loX r21w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="kbWY//bP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m12si13772769pfh.152.2022.01.24.12.34.25; Mon, 24 Jan 2022 12:34:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="kbWY//bP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355729AbiAXTnZ (ORCPT + 99 others); Mon, 24 Jan 2022 14:43:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345699AbiAXTb3 (ORCPT ); Mon, 24 Jan 2022 14:31:29 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94042C028BE5; Mon, 24 Jan 2022 11:14:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3198560B88; Mon, 24 Jan 2022 19:14:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0840C340E5; Mon, 24 Jan 2022 19:14:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643051680; bh=PlQem231B9ZJ6Nur+9/SuZiPSNd25scKJOTzlt/aIAA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kbWY//bPDKL2aJJT24wqzv/JiJ7Pcy9WtnKENWRSX3tXHt4tOyyhnbdQ3EaWI9YRT GEFsnhwaTu+mTlYOnxnhZAlvo6Llp+SKbuBBItJJgy5IzAJgdjIdv/s41DIKZ/MNvU Sj7e6tK1U4nxxvrUVRdS6Z2TbWzQ4ZIXCWbQtTEQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 4.19 053/239] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:41:31 +0100 Message-Id: <20220124183944.821850135@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183943.102762895@linuxfoundation.org> References: <20220124183943.102762895@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 937cada5595ee..c0dbb8ad00376 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5391,7 +5391,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -5401,6 +5402,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1