Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3578876pxb; Mon, 24 Jan 2022 12:41:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJxyK6BRnXVKJ/KthW9XVxxo6xYMNPqtGwXue/PPVadixg7S3HJ9kH3j5xizL7yoMkQgy28F X-Received: by 2002:a17:90a:8b82:: with SMTP id z2mr107829pjn.146.1643056871957; Mon, 24 Jan 2022 12:41:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643056871; cv=none; d=google.com; s=arc-20160816; b=sCeWuvZtiVEn966OhfjkZC9/vkkVJ7QYV1IzVb15Hy25IhblSxKRr7JpWVJ3fotfBU o+p0so49OcOVA5MshGmmzwoqpwY0rQyNoHHqdRiuIOkpEEtkwk7KaR6/LOFaC8EUrzm2 5o8+s4NanS+R2bPhI5ZRB393TPUoydFFVhsjh9q8WtfA2fIK27/j2vHszBfo7cmO/xpp kkJ1jHqW8ZEML0iK/qZ3aVXam7uPCILoIM/UB8lDzOIj/hV1bFBt6RBoKfg3Ium1gybe l+l85J7ws5C3f2803siz6+HT9oHHujqCeqPt8ViGimp06b1EVzxQEB5UfKbkyIVUA0Ev pEaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2m9eWnd6YJ62uK9b16Sua7O9KGrIgL8+eDau0cdAQow=; b=K0xPTsn9v/WFX5boIWcoyEQ/gZv/FGO5Nayaj+gcGfOriyEqc/AB8utzeRk9J9fuzp sq8dWlChAvLSUMFw6R4XWyte9w/UPvDfk5c/LoT1bODMaIQQ9BiYIhZW2Y705+tzDM9I QDNPRp9xXR4nyZQZr75JQvUyGPL5E0QhAypMczqh/PPqej/muhuAUuKCpCVPDQ66RA+j 7KGCQmGoUCfInPTFU8ZaKmZ2yl8yVaG66nXKGYKESQP8s7m3F/fPYerGhz4c+wkqkhS1 Whvy5c45jTnB4v1eBffmDEqrrpNitWBeKnGUab4WrATWj3o6orI77HsNvz13fM25XXIu 2RnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gfw4wwqN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d10si14361110pfu.147.2022.01.24.12.40.57; Mon, 24 Jan 2022 12:41:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gfw4wwqN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359183AbiAXT4e (ORCPT + 99 others); Mon, 24 Jan 2022 14:56:34 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:42426 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355942AbiAXTo6 (ORCPT ); Mon, 24 Jan 2022 14:44:58 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F1E3F60909; Mon, 24 Jan 2022 19:44:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC4EBC340E5; Mon, 24 Jan 2022 19:44:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643053497; bh=QjC/tPhb2AT1wpeW0EUSSIwTPy+Ku5oRwIix5WNNPZQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gfw4wwqNSDk1Yo+1wG1rHIJMUFb1VHvo0fwEE5AKOUfF+RZzQFAFXwcMr3RGqLKGE qQv4aueoz4PpP9oaPjhp8hN1uZrIgAkjMuhUsUrRX8USLwyWSujKLgWaxPNODezTbT QlMP7heA6C7lIjuyEycwETVgFaNNYVYqC332ywCM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 5.10 085/563] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:37:30 +0100 Message-Id: <20220124184027.342260846@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184024.407936072@linuxfoundation.org> References: <20220124184024.407936072@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 9f52145bb7b76..7ffcca9ae82a1 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5661,7 +5661,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -5671,6 +5672,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1