Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1298992pxk; Fri, 25 Sep 2020 11:02:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxQQ93GiTeyMiaaCZ6WDAzk1msux4+hpmTqWqPs8dbakg9T8daos71D6xxaizesHD93ImsI X-Received: by 2002:a17:906:4087:: with SMTP id u7mr3968205ejj.466.1601056975603; Fri, 25 Sep 2020 11:02:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601056975; cv=none; d=google.com; s=arc-20160816; b=qYDHrB0vRn+dQZLCH5TmhKWKTffMAHsnntjbNawf7ycyF6oyewUpOWc/DBcip5V1T6 EdWvO1AdvGZ6j2+nVw7FROsu2Gby1zNuKDrmbTCis6YCa6KCKBVtw/jwKslXZsi+J+YL fMCoFlHxkXVeNOt8+CdQyAwoL+7U3iFbERsGkQh1aAXII2hQFm9w109aOzoPEqwC3XSe AQEAWtcUwZ3BnuQbHgFggUH0J1369jrmS5UELRcqzPpA0zt68QQK9SP//XFSzPGMw6wr CjdUxjtC5doRmqAyv5tWpcaMIt2UebEBE97CDKCG+uqAjlR4xlfKBRnhyd2eqEnK8UVV R8Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=/ZTlvcKfwV9W/xONlTPF/fpJtn0pjYTTI1+1eynco68=; b=Z7rrV/UoeZebzTHSW+NiZ0fpj0dVpvSYygPeSOXx2v7xIN/Xr61U+FttOzaZ4X+I34 hVVfm7KZi5vdM2K1lBSOJNiZD0hA48xHLZlGq4dB0zrGU7pT6ixSPiakaHwgQ8I6rEIk 6+pkxLaPqR6Y6keUIrgQ0PLSkD1UpwWw7hT//3Npjib1GPOe/MFiMsVcvpKuvLPXtgaL IkMJP6Sh/YnjAcbvEYwju2ISbvNsvh/Tf0emIQ1EVFKGlZsR/OfNCyGNSO3oI8ZV6FXw u8o57CChLiPHSe55qWaRmrdgaIirWkTAlTq/hsh8EWp/xyePJEc7RwqeTxuhJdbqF+TQ VF1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="g/4XxB16"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jr1si2343907ejb.164.2020.09.25.11.02.31; Fri, 25 Sep 2020 11:02:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="g/4XxB16"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728416AbgIYSBA (ORCPT + 99 others); Fri, 25 Sep 2020 14:01:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727495AbgIYSBA (ORCPT ); Fri, 25 Sep 2020 14:01:00 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E448BC0613CE; Fri, 25 Sep 2020 11:00:55 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id o20so3897382pfp.11; Fri, 25 Sep 2020 11:00:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=/ZTlvcKfwV9W/xONlTPF/fpJtn0pjYTTI1+1eynco68=; b=g/4XxB16rWBbvNXQleoZljf+99ldOEc0r3E/SQErOaRPMQC6deft5ywkY++mxKMzIK Onc6D9ubAjIU1Ps4UVtrq1XVpHIVql07blYlxgCNNV/m9xYkKDgaJNRHspA4kwY76siZ v7yA/ywhmmBle9IhXWGx0Uhz7nAlHMUj8KQThQ+UcyhxtDsQkhNFGUzdMUo4uIPsViIV zyBMx8kvtSMCcKBR1DuwUPxLUlTyc11LcW9gNRayWnzcyqNlNjna15O+vtXBdyph7Efo PtJEq1IW0Ai/tH4TVGsY1zrAIvw4phM/q/5nAHXTZTdNgzHv0xFuAVBTpwZnGU8+sIv4 t1jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=/ZTlvcKfwV9W/xONlTPF/fpJtn0pjYTTI1+1eynco68=; b=feuDgc1/v18yAhrk+fkrJnAUelINNhUgIjXBWk4+SoaK+w7MaRKicY0a3z4zj5HnB0 VnUtyL/z1quRHe6kenUOq2T+IkRld1Zk1+ewKTdaOUDGjxwFzeIE/KZ+gPkqw4qANcbx 9WTyqA8YrNvR/JkcrKVyNEY7aSz1F6nG+xWOABc+Fk/GvZrDieKP9vvz9bAT6eSKY8yQ f5NTOgoaNo5E+g669Aeh3L50/fi5Aulc6LP2qEDeE0DGFpfw8a0/m0F9PjSa8pcW7sL9 NzmoC3BhRv5mP6dKXClAHlIUFlqbSJZVt9dRUOmQS7eRmKeJs5n0rrbTx2nOfqDdiS+w yJgA== X-Gm-Message-State: AOAM530hoq18tME6kkZtHhjnbaV42R0kZMXBwYTWpduGLiYy3R/cRRfK AdKkWYNhklJL5GFbAlKdtYeC0rTCs7r/aLBDpek= X-Received: by 2002:a17:902:9e95:b029:d2:4276:1ddc with SMTP id e21-20020a1709029e95b02900d242761ddcmr558632plq.81.1601056854754; Fri, 25 Sep 2020 11:00:54 -0700 (PDT) Received: from [192.168.0.104] ([49.207.212.24]) by smtp.gmail.com with ESMTPSA id v6sm3411227pfi.38.2020.09.25.11.00.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 25 Sep 2020 11:00:53 -0700 (PDT) Subject: Re: [Linux-kernel-mentees] [PATCH] Fix uninit-value in hci_chan_lookup_handle To: linux-kernel-mentees@lists.linuxfoundation.org Cc: Marcel Holtmann , Johan Hedberg , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200905020410.20350-1-anant.thazhemadam@gmail.com> From: Anant Thazhemadam Message-ID: Date: Fri, 25 Sep 2020 23:30:50 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200905020410.20350-1-anant.thazhemadam@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On 05/09/20 7:34 am, Anant Thazhemadam wrote: > When the amount of data stored in the location corresponding to > iov_iter *from is less then 4, some data seems to go uninitialized. > > Updating this condition accordingly, makes sense both intuitively and > logically as well, since the other check for extreme condition done is if > len > HCI_MAX_FRAME_SIZE, which is HCI_MAX_ACL_SIZE (which is 1024) + 4; > which itself gives some idea about what must be the ideal mininum size. > > Reported-and-tested by: syzbot+4c14a8f574461e1c3659@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam > --- > If there is some explicit reason why len < 4 doesn't work, and only len < 2 works, > please do let me know. > The commit message that introduced the initial change > (512b2268156a4e15ebf897f9a883bdee153a54b7) wasn't exactly very helpful in this > respect, and I couldn't find a whole lot of discussion regarding this either. > > drivers/bluetooth/hci_vhci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c > index 8ab26dec5f6e..0c49821d7b98 100644 > --- a/drivers/bluetooth/hci_vhci.c > +++ b/drivers/bluetooth/hci_vhci.c > @@ -159,7 +159,7 @@ static inline ssize_t vhci_get_user(struct vhci_data *data, > __u8 pkt_type, opcode; > int ret; > > - if (len < 2 || len > HCI_MAX_FRAME_SIZE) > + if (len < 4 || len > HCI_MAX_FRAME_SIZE) > return -EINVAL; > > skb = bt_skb_alloc(len, GFP_KERNEL); Hi, Looks like this patch might have missed the attention of those who can tell me if this works or why it might not. For some more context; more details about the bug can be found at ??? https://syzkaller.appspot.com/bug?id=287b84cc1c834c7878c4193d7b18760067f10a77 I should've highlighted that in my initial mail. My apologies. Thanks, Anant