Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp137715pxb; Thu, 2 Sep 2021 21:43:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwt1N/3VdMqtodyI6v0FEfh+iUo6oa68sNsuMJMBprcYKBsdMjX5x4EXtqQh6ih6Siz8Ngy X-Received: by 2002:aa7:d0c3:: with SMTP id u3mr1910438edo.158.1630644194445; Thu, 02 Sep 2021 21:43:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630644194; cv=none; d=google.com; s=arc-20160816; b=Re7AvZm/Fnp9F59xO6PembXWcNGOfPy03D3RdI2biDPDfgyAR0QV1ckk7CGF1oxAI0 2jCP3mOVeisa8as5IIW4LDLGLH1YuV/u21jYFyhLLFqeFdXD8BvbhoxzwtIRVNWS5sXj K2bXWK2jkB5loUJeHjW0LOpLVOISRw8lsLX9QRJq5AqR6jBDNdiOxor5h/oc8C+Te9xU 13IVdMidA3OagaGKu1e7M02wsUMmv1a9FvjvCwVNYaGGiAU5uHbWeaO5dmo7bY15r8QT /y+Bc+x45FuzybRcy3lB6uer8kVNf1jd83VUAoUMUaHN4jkTtQwJcAWQeIlUsRJ+34BL nABw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=j9UDNmI2yyHbHu/0lGJ8KuyVQk11ai9lwMynONzy6tw=; b=GGbyvC9bY5/gKmFKmSga8hh+1qX/Hj+z9KvzXFg/2ZW62MjddZvDVYxl5qpbvWgW19 VvKm+DD3BKXftfZT87rlZsoCp6Lbw3CPAyc8pS/R8HCo7RxH4xk5cIdPnl/VlBoJ3fki tTrm9EW0i4SWXH1KGgBI9GLO06qZ/nhT+wLQc49NufIDDtnkJzoq0kdT+XAu7HXi883z 3mu/CrQPFh5PSKIISNknloJiHrRk0lXNbJr9TpQqmCItofkAc5lBQiZk9gS3P+RVLUVJ 1HYxzt+Kpa8+De3a4Oq/UypO84kB9TP84hDdE4ugRSCFy3rOxlN+ACCGlj7IAtFfdHAA 82kg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z11si4039295ejo.318.2021.09.02.21.42.33; Thu, 02 Sep 2021 21:43:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232274AbhICEl0 (ORCPT + 99 others); Fri, 3 Sep 2021 00:41:26 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:56708 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232164AbhICElZ (ORCPT ); Fri, 3 Sep 2021 00:41:25 -0400 Received: from fsav117.sakura.ne.jp (fsav117.sakura.ne.jp [27.133.134.244]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 1834eBIB061707; Fri, 3 Sep 2021 13:40:11 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav117.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp); Fri, 03 Sep 2021 13:40:11 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 1834eBWj061704 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 3 Sep 2021 13:40:11 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] Bluetooth: avoid page fault from sco_send_frame() To: Luiz Augusto von Dentz Cc: LinMa , "linux-bluetooth@vger.kernel.org" , Marcel Holtmann , Johan Hedberg , Linus Torvalds References: <15f5a46.b79d9.17ba6802ccd.Coremail.linma@zju.edu.cn> <60f604f8-2a89-fd3f-996f-9d9e4a229427@i-love.sakura.ne.jp> From: Tetsuo Handa Message-ID: Date: Fri, 3 Sep 2021 13:40:12 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On 2021/09/03 12:48, Luiz Augusto von Dentz wrote: > There is a set already handing this sort of problem: > > https://patchwork.kernel.org/project/bluetooth/patch/20210901002621.414016-3-luiz.dentz@gmail.com/ OK, I didn't know that. (I'm not subscribed to bluethooth ML.) But can we please keep the fix minimal? Multiple distributors are waiting for the fix (which can be backported) for more than one month. https://security-tracker.debian.org/tracker/CVE-2021-3640 https://access.redhat.com/security/cve/cve-2021-3640 And it looks to me that your "[3/4] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg" contains a new use-after-free or memory corruption bug... :-(