Received: by 2002:ab2:7a55:0:b0:1f4:4a7d:290d with SMTP id u21csp572939lqp; Fri, 5 Apr 2024 02:27:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUY4ge2xMxvHOHeg75kXBKUWPmMXmQvQxUmiQhqqyH6vPs0IXnddijfGAoqTzE12VbGw5v+pRPBC7EPEFLi5ADH8oEdprnlNpWTx/r+0Q== X-Google-Smtp-Source: AGHT+IHdKqbpjNm2s7WhdqRrtl/dZvfWaa7w4ScL8Dvyj76o01dY3rZy1r35WtiaBBB2o0xozXBX X-Received: by 2002:aa7:8893:0:b0:6e5:faca:3683 with SMTP id z19-20020aa78893000000b006e5faca3683mr1102058pfe.26.1712309258079; Fri, 05 Apr 2024 02:27:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712309258; cv=pass; d=google.com; s=arc-20160816; b=fw6TyxqVa8/0IIMyLKxc0Hsyxp+tyX8/a7cpV+SslOMaDr7ykWYHMUM+vWZ9aNGTXB yoO7ef5j7ov+HcavdxH8oNQHBot0n3WBtAchRj/rl3lU4/kOAxhf89GEbXQChMKr5lzv ctgAuO/frm9sWmnZVoLpuilIQqFcPaiWXjr2TLHiiWzdqr8mOovR9sfH06/Rrm/9Yo4l 0/qyGFtxZHGQ6XyIiz4FEzou8tjUPsHdUIaf9AE8zU2D+gz648cWgmbxnTn3L1BeduqY X/giO1KuqMl2L3bg3YzvwCYnjVUqZOWI/rozGIseM0xMI8cyAWnh8YXOnaldUXVea2S2 AcrQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=zD0ddUuisWwXHfo/fgE2fqG6hlr31u+EGuOPSrgTnbk=; fh=IsNPahM8ZU7NnZuSGVdzNDaW7ps5Oq4ya2ukRVTx43c=; b=AJlGKb9LoKop7glYBEQvGTFL4mFWKXsQdguh9H6CEahT378tj6paO2tbzY9Y5QL6/L l+twMP1sVefYdtMeDlMvuBJr4NkYFa7PEa4jkYB7aEm02T9MePNzo8BuCX24kDZ8txSE Kv6kPEamwyBvuUI9aBdsnBv5D5f1ypl3DjKhdPyY9eecm1uXqqeLoH5sYLSv+d1QXZLB GE2mh9DwJ7r/1qneJ42HT0TRO8pjX69FHqTzdpKtiPhdc2ZLqqz+VmzScU/OiTeAjHth 659ibqKPxSmfsVqc3kimSTCywueDvXBDMA3//LIRmp+lw+t8K3Np0glcWy/AwME991GR l7pg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=kNaVjIes; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-132734-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-132734-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id p3-20020a056a000b4300b006ecceaa3383si1055665pfo.9.2024.04.05.02.27.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 02:27:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-132734-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=kNaVjIes; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-132734-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-132734-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B966B283F4B for ; Fri, 5 Apr 2024 09:27:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D4FD315FD0D; Fri, 5 Apr 2024 09:27:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="kNaVjIes" Received: from out162-62-57-252.mail.qq.com (out162-62-57-252.mail.qq.com [162.62.57.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91EF11EEE6 for ; Fri, 5 Apr 2024 09:27:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.252 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712309251; cv=none; b=Yr3mQv42c6I1SFxctOe9EE+QH4bDsoVBiDRA4shVm6tEiQXF8VgaReUWci/CQqRzPhvg02JS7vsVQ8mbxySYU5QMFz5qHxD/iu0pLuyaQSbzll7NoTevyc1OxkHHqrMZdPzPDolRqUS8DCs1bCfMRHsHNGL+2bhQV5CQqd7bnzk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712309251; c=relaxed/simple; bh=f7oeIVMYq643NoyWscupQPAYNamXXBaZyabbc0X3A8I=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=Rm9UoMuAGpnbSoZX8FVXKVrXJ78ii42e2lAwn+z7yC4g4VWJnguWw25kG7Tp4xbKLukk1A9SrPYAMcIdIZ9ctHGmfcFiP5C8PSPxs+GGqEvWkCIZ00ql7Z4QdIx3+oWz084g9Dy91r+4/vnhoRsprWgcAjWKavmvRNuU+eKru9E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=kNaVjIes; arc=none smtp.client-ip=162.62.57.252 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1712309244; bh=zD0ddUuisWwXHfo/fgE2fqG6hlr31u+EGuOPSrgTnbk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=kNaVjIes1rD8H0MnBvqg2iCrS8CLuyujUhA1RVeiPWmh8eZozogoHJ+VLuyESlZdT GGgpexBxS9cU3HvOq82vor06tq432FOZmrYdgqAXniVojfJqjdOarvWpznpbiCFZn/ ZbwCWy1hJcqc1eFE3GFPwAPAfBbI4wz7For4831w= Received: from pek-lxu-l1.wrs.com ([111.198.228.153]) by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP id 6D6B7E75; Fri, 05 Apr 2024 17:27:22 +0800 X-QQ-mid: xmsmtpt1712309242tcx2k7xvs Message-ID: X-QQ-XMAILINFO: M1xqn9pGP6LNUYbSmejPSGeB09RDZEiaMay8GlacZgwn6CkrfPl8Oj3ecYltcJ aaWDRaBKnDQqVcy7zH91fTXJ4Mee+PSBrYUjg4iRP6acHPgnvTqObU0MfDhucrovd8ixU4SMPbro HMZ3BX6Gi4SP6xNw9AEXJBFoO+s3R0CRj+jLNHt5PZtzYL2yEZy44wGyGjeIkvbRCwxByOtA4vtg K7egyuBmmzEiL8XPSXU9GOJILQBK8yy21kbTrWh0zFfQgMeuIjdh+tYf4/5YlRs95kA6/cu99y5O 9Tr6oTjhR7fANgZWmDeO3NR4KMCkcS5gUeAxIUYYOJsZolcJQWvSz7ON21mV8bJ447a2zYA2K43/ X3yEewt2ImGXeRGbBUpos0ybIjnDUZ2JK/Ag4plCyyuzoYfiSumRl9r21EOZhbmPBjD7FWa8rxwQ 5kmJDoRgyvddvG3M8fp5HgFWcbwBSnCt+ua3PLtmqdMrP5KD8b6MCDTow1wz6DDjU8ApXin9Wnr+ 4cGOC+A4Z+Pt2WJgaXRp85tb/vKYHq1K/97SbJ8tUqqMJ587WrEPweg5FI2JiomTltUUJjJevn3i 4FHbxG3rMzUHK47aMHRsRdL3BXhKr7TQmaIniOhUF855K/iz8GLHeiCMyCSY/jf3WpypWGz2EGfO 0yJoNeXg/18MuwCbkaKBwo14yyQgC0JFz9vY/5v0CuDam/+n7dkd2X6TGs7rBGo25n/7nJqDjsyA sdNMh8blP6enNZbmOZc1cgfiXSyxd3BtGkww7gTzx3zwlzQvrHqBeA6QpxmaNrzz5RKr/JAxSg46 ThQDpuwQv/0TDYIcH245rZa9f7zIUHaLdwF/xV/Bpy+XLVADJW7OCh9Ak8ZOOEgnhRB2DMoKTZtn PsI5QlgecGPiQWYzhJ5m2gJhjCPWHSoQv7WAvWx/uBObjBIfzUUOqhD7H+vkJctMZKhKPsdgOe X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg= From: Edward Adam Davis To: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in hci_sock_setsockopt Date: Fri, 5 Apr 2024 17:27:23 +0800 X-OQ-MSGID: <20240405092722.514984-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000007558ae061553f41b@google.com> References: <0000000000007558ae061553f41b@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit please test oob in hci_sock_setsockopt #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 4ee1b976678b..cee7ec1adbd2 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -1946,7 +1946,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, switch (optname) { case HCI_DATA_DIR: - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(opt), len))) { err = -EFAULT; break; }