Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp432419ybt; Fri, 10 Jul 2020 03:44:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwReWiiXoRNKJ+XF+i3jvE+8UvruDF9ZESQx9E3nh81d4FbpTLcb7RYynehFqoWvMUFEWoG X-Received: by 2002:a17:906:455:: with SMTP id e21mr62969665eja.550.1594377853251; Fri, 10 Jul 2020 03:44:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594377853; cv=none; d=google.com; s=arc-20160816; b=kZ/j7SzRW7Bm8A55+Jrt+5Zdc4s1SE4OntBXKpfkUiO4qr/muDpReoK6vMi9XZO0uw 7ckCZwFsoiIOYbCK763W3sNfcz7p3jqdeKuxuj2GeisuK4lpimRi4GylZ3cM39ZT4F/7 1LC8wiPZeLIKoWyjqELNolvcjnbMEOneWhW9TvPIG5gs40zvELm6HgBxlzI+kbM5wmda j/k18WvZrtlD3EI97ur2VQ8J4p7EqmzHYvRk6GElsbvWiZ4jyBkyer9R+zkfN4ai3ckK hZBwuafES9V4jHDxGEWzmBZ8c9JUWp6n/aaxGf1lGQnI20eFZzehzQ7dhOhp5yDxXtMx MHEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=dqlhpTGsfTqz/xC4nGmsOqXw1B3bcykNGD9eEaVNCZM=; b=fQhORckfq5KmFgVrOP59h8zjoGOhmGVcP2KyxHYtp0C4o1agTZeXEjCu6Z0jHGChm7 2xUx3AoXBNKPgXSVhNZuQsN45USgVQEHPy65YzoYEM2g/Iw7Tt4o8RFMJBCcRsJqT4i9 x1xdGwhCaI9I8UtB3J6gTepYW1c8NsT5bb5cKk4BJNwlKyUZTUBhRD8n0rq2i94EmFPr odTES5VkGtCsNregr6uB8av4l9kKGntdwmon7Ql4wuVC1ETqYsWzI7oFVCoEA7p2/VgM o540146sm803bg6UoJZvWuujeLpzC6vInHc54pTRyhKYZiUTC7h7jot2NhQymypVUz1W yHKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tgf16Emb; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y17si4139445ejk.677.2020.07.10.03.43.18; Fri, 10 Jul 2020 03:44:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tgf16Emb; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726880AbgGJKnC (ORCPT + 99 others); Fri, 10 Jul 2020 06:43:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:45408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726816AbgGJKnB (ORCPT ); Fri, 10 Jul 2020 06:43:01 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A442920767; Fri, 10 Jul 2020 10:43:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594377781; bh=EW9MXB8Q/dnRDJNPSoM2A4yEsAsEcseFCmlJ8Ror7LM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Tgf16EmbXRYSEQZYn/cD34QnoXjzA8+ynp8kG9ZTETZVgYmoZQ9HvJcHNXOiKeHSn ehE3cqhz2C4YyZLSq60EHVpE21xVtudo/UnjDSVTbJXS6+ZLI1L1JyynmCLNZ/0g6z AvmxePRff76ZbZNo72ZomEjDcZUd8MKCvgjWHDRI= Date: Fri, 10 Jul 2020 12:43:06 +0200 From: Greg KH To: Peilin Ye Cc: Marcel Holtmann , Johan Hedberg , "David S . Miller" , Jakub Kicinski , Russell King , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH v2] net/bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Message-ID: <20200710104306.GA1229536@kroah.com> References: <20200709051802.185168-1-yepeilin.cs@gmail.com> <20200709130224.214204-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200709130224.214204-1-yepeilin.cs@gmail.com> Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Thu, Jul 09, 2020 at 09:02:24AM -0400, Peilin Ye wrote: > Check upon `num_rsp` is insufficient. A malformed event packet with a > large `num_rsp` number makes hci_extended_inquiry_result_evt() go out > of bounds. Fix it. > > This patch fixes the following syzbot bug: > > https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 > > Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com > Signed-off-by: Peilin Ye Acked-by: Greg Kroah-Hartman Bluetooth maintainers, can you also add a cc: stable on this so it gets picked up properly there? thanks, greg k-h