Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3624451pxb; Mon, 24 Jan 2022 13:47:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJxfaFc0fqKQawrwyyjaRjTOrhCmfTaLKWP8/hbMusHsUZsSbmTpWg+ZZnHCoiiK+J707dx8 X-Received: by 2002:a17:902:904b:b0:143:73ff:eb7d with SMTP id w11-20020a170902904b00b0014373ffeb7dmr16155464plz.85.1643060850259; Mon, 24 Jan 2022 13:47:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643060850; cv=none; d=google.com; s=arc-20160816; b=l4YtNsnf9ie2e+fsT+ax+/TYmIu30T8CGEc/R0ad343onnrZyv0aHb3xkvycTIMyu8 t90GO1/GtN/qSZJBnVXxzgDISd5JiuzjpBVVSTY5wOZAJN1TLSaU53QQqqN2J21JVppW WV0xrrfm+/U5MbMgTAUmvwc+DqjnaxeR/YXc48VXPVdEqY9QEumZRDMDanrhpIfbtII/ 1EiNUg8tmNTh6BjXN5lBkBwb36ukj6iBL1xzU+8dR7iMXRoXh8ic3Ajj8jap7R/89/jW +4VcYBAXoAg1/X+Tfy6gQF9OdIQALNrN9V2EiQgoBLbF6CgjSKJx4/jsyR/WKrL450hZ WMzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=h9cYfJE2eJGHn4UtMKtYPO/2Y4NURreswLyiSa4RYH8=; b=juhNq9HGllEK27n19Q/IpL2TRvfCpMKaeltjArTJtf7XxFjZunEO1wgMrMIti1J4Fh euNPFBaelKGySIrGdctTZKmTfIlrb/DS8OfyiHixrtU+fguQgLIsu0wRpOSZFJOpTyr3 RTpVujRVJaCpCXr/qcPWT6uHDPYKVYmUhJ4ulvIA5t1ctz5nEJWsg9iK3T6XyrZnWDz/ N1vNAIdhwpVMLP1xmeKBwwEJx+RqE4leWymfKhrUsPJhSDoc8doom79h8j7mkq537uCF NmlmsZWBXBIQ4RWFn7yYb/po0fRbSrwl0O3rAcJJIWfcgcKlFKXXbLPRRu7RBDvaekQV j5lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=f0aKrhXn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si13229806pfc.191.2022.01.24.13.47.18; Mon, 24 Jan 2022 13:47:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=f0aKrhXn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1453731AbiAXVaq (ORCPT + 99 others); Mon, 24 Jan 2022 16:30:46 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:54516 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443916AbiAXU7h (ORCPT ); Mon, 24 Jan 2022 15:59:37 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5C27AB810BD; Mon, 24 Jan 2022 20:59:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 84FC4C340E5; Mon, 24 Jan 2022 20:59:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643057972; bh=0IGBf5tEYiMjH+4RXC5rOqHobWxotPtGXGTcCVuL41w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f0aKrhXncadlwPsS0Xqz8olRSRZ0a0jT5TxNhDjj+ALwQ34p1cD+JKj3iCF2nxuId IzgnzyLDyHV7YTqU83/VspTZbVE0RXl8X2bNUOqGbEOJ8dgWJXXdNSV3nqMChzO/4M othgkgOPKm6Q7pTOg/LaynHzI5D6DUW5+qKGXPoU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Marcel Holtmann , Sasha Levin , syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Subject: [PATCH 5.16 0139/1039] Bluetooth: stop proccessing malicious adv data Date: Mon, 24 Jan 2022 19:32:08 +0100 Message-Id: <20220124184129.852295486@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The problem was in missing validaion check. We should check if data is not malicious and we can read next data block. If we won't check ptr validness, code can read a way beyond skb->end and it can cause problems, of course. Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 7d0db1ca12482..59f0691d907f6 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5825,7 +5825,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; - if (ev->length <= HCI_MAX_AD_LENGTH) { + if (ev->length <= HCI_MAX_AD_LENGTH && + ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ev->bdaddr_type, NULL, 0, rssi, @@ -5835,6 +5836,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; + + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); + break; + } } hci_dev_unlock(hdev); -- 2.34.1