2024-02-28 17:18:50

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow

From: Luiz Augusto von Dentz <[email protected]>

struct hci_dev_info has a fixed size name[8] field so in the event that
hdev->name is bigger than that strcpy would attempt to write past its
size, so this fixes this problem by switching to use strscpy.

Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/hci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2821a42cefdc..3715d2f3616f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -908,7 +908,7 @@ int hci_get_dev_info(void __user *arg)
else
flags = hdev->flags;

- strcpy(di.name, hdev->name);
+ strscpy(di.name, hdev->name, sizeof(di.name));
di.bdaddr = hdev->bdaddr;
di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
di.flags = flags;
--
2.43.0



2024-02-28 17:18:54

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH v1 2/4] Bluetooth: msft: Fix memory leak

From: Luiz Augusto von Dentz <[email protected]>

Fix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT.

Fixes: 9e14606d8f38 ("Bluetooth: msft: Extended monitor tracking by address filter")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/msft.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c
index 630e3023273b..9612c5d1b13f 100644
--- a/net/bluetooth/msft.c
+++ b/net/bluetooth/msft.c
@@ -875,6 +875,7 @@ static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)
remove = true;
goto done;
}
+
cp->sub_opcode = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
cp->rssi_high = address_filter->rssi_high;
cp->rssi_low = address_filter->rssi_low;
@@ -887,6 +888,8 @@ static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)

skb = __hci_cmd_sync(hdev, hdev->msft_opcode, size, cp,
HCI_CMD_TIMEOUT);
+ kfree(cp);
+
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Failed to enable address %pMR filter",
&address_filter->bdaddr);
--
2.43.0


2024-02-28 17:19:10

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH v1 3/4] Bluetooth: btusb: Fix memory leak

From: Luiz Augusto von Dentz <[email protected]>

This checks if CONFIG_DEV_COREDUMP is enabled before attempting to clone
the skb and also make sure btmtk_process_coredump frees the skb passed
following the same logic.

Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
drivers/bluetooth/btmtk.c | 4 +++-
drivers/bluetooth/btusb.c | 10 ++++++----
2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index aaabb732082c..285418dbb43f 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -372,8 +372,10 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
struct btmediatek_data *data = hci_get_priv(hdev);
int err;

- if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
+ if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) {
+ kfree_skb(skb);
return 0;
+ }

switch (data->cd_info.state) {
case HCI_DEVCOREDUMP_IDLE:
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index d31edad7a056..6cb87d47ad7d 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3273,7 +3273,6 @@ static int btusb_recv_acl_mtk(struct hci_dev *hdev, struct sk_buff *skb)
{
struct btusb_data *data = hci_get_drvdata(hdev);
u16 handle = le16_to_cpu(hci_acl_hdr(skb)->handle);
- struct sk_buff *skb_cd;

switch (handle) {
case 0xfc6f: /* Firmware dump from device */
@@ -3286,9 +3285,12 @@ static int btusb_recv_acl_mtk(struct hci_dev *hdev, struct sk_buff *skb)
* for backward compatibility, so we have to clone the packet
* extraly for the in-kernel coredump support.
*/
- skb_cd = skb_clone(skb, GFP_ATOMIC);
- if (skb_cd)
- btmtk_process_coredump(hdev, skb_cd);
+ if (IS_ENABLED(CONFIG_DEV_COREDUMP)) {
+ struct sk_buff *skb_cd = skb_clone(skb, GFP_ATOMIC);
+
+ if (skb_cd)
+ btmtk_process_coredump(hdev, skb_cd);
+ }

fallthrough;
case 0x05ff: /* Firmware debug logging 1 */
--
2.43.0


2024-02-28 17:19:19

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH v1 4/4] Bluetooth: bnep: Fix out-of-bound access

From: Luiz Augusto von Dentz <[email protected]>

This fixes attempting to access past ethhdr.h_source, although it seems
intentional to copy also the contents of h_proto this triggers
out-of-bound access problems with the likes of static analyzer, so this
instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
h_proto separetely.

Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/bnep/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 5a6a49885ab6..a660c428e220 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)

case BNEP_COMPRESSED_DST_ONLY:
__skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
+ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
+ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
break;

case BNEP_GENERAL:
--
2.43.0


2024-02-28 17:59:42

by bluez.test.bot

[permalink] [raw]
Subject: RE: [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=830790

---Test result---

Test Summary:
CheckPatch PASS 1.98 seconds
GitLint PASS 0.78 seconds
SubjectPrefix PASS 0.23 seconds
BuildKernel PASS 27.62 seconds
CheckAllWarning PASS 30.48 seconds
CheckSparse PASS 36.06 seconds
CheckSmatch PASS 99.43 seconds
BuildKernel32 PASS 26.97 seconds
TestRunnerSetup PASS 494.99 seconds
TestRunner_l2cap-tester PASS 18.05 seconds
TestRunner_iso-tester PASS 28.19 seconds
TestRunner_bnep-tester PASS 4.74 seconds
TestRunner_mgmt-tester PASS 111.81 seconds
TestRunner_rfcomm-tester PASS 7.28 seconds
TestRunner_sco-tester PASS 14.85 seconds
TestRunner_ioctl-tester PASS 7.76 seconds
TestRunner_mesh-tester PASS 5.79 seconds
TestRunner_smp-tester PASS 6.81 seconds
TestRunner_userchan-tester PASS 4.95 seconds
IncrementalBuild PASS 39.12 seconds



---
Regards,
Linux Bluetooth

2024-03-01 19:03:42

by patchwork-bot+bluetooth

[permalink] [raw]
Subject: Re: [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:

On Wed, 28 Feb 2024 12:18:35 -0500 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> struct hci_dev_info has a fixed size name[8] field so in the event that
> hdev->name is bigger than that strcpy would attempt to write past its
> size, so this fixes this problem by switching to use strscpy.
>
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
>
> [...]

Here is the summary with links:
- [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow
https://git.kernel.org/bluetooth/bluetooth-next/c/c6febaabc470
- [v1,2/4] Bluetooth: msft: Fix memory leak
https://git.kernel.org/bluetooth/bluetooth-next/c/14cfaede6ad1
- [v1,3/4] Bluetooth: btusb: Fix memory leak
https://git.kernel.org/bluetooth/bluetooth-next/c/875829da81e8
- [v1,4/4] Bluetooth: bnep: Fix out-of-bound access
https://git.kernel.org/bluetooth/bluetooth-next/c/cfbc55231f8e

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html