Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1371252pxb; Fri, 24 Sep 2021 03:05:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzNHcNmF8kU2hR8tqLnoKAJg/KP/nN5eOUyMPJ9jV8NcNy4qGOKlNa2/mVu3JU3qZs2usyw X-Received: by 2002:a05:6e02:b4f:: with SMTP id f15mr7841889ilu.199.1632477925147; Fri, 24 Sep 2021 03:05:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632477925; cv=none; d=google.com; s=arc-20160816; b=EHevgJW6i/cQLzzf2J9lXOctTd81hek0z728b8X38smCexb6wXrDN0cbGSRSnKciVo xUa9tujm53c7NWR0xYJxaktlh+UUidPtEXk5i4UjLq4p7oMsGNzULJjtSFLe8u2lcNEH FEnMPkQKMY4fgMl/tv/3vaisdRXBYwAiRG2KyW9uY/NFPv9h6ym4aSkBX3XVt7uTw6CV egMO2ivOkBEvMbxVCySdPdiB+5t7x5QDyo2PvCJw6e2uYHmKppSnRTF5odxYiRYs20d2 fQGwE6aAG8nYgx0A6GEL/yUyMgrlfg2EyXcwZouIBQ+DOHycZjVS/i0viYr+/5okLkfl tU0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=QVejgvgIUbivqyF/zB9MH9U5S0LClVfNnIpvUNItikM=; b=NWojshd/t2cDu0zdyD/d9eLScDCoUpCTzk25U6O8Wm1C/dHXp8o/iI9UpPe1kCBRw/ xBLqG/AgTRHGcr+yFXxxkCc1JV0YcaYdbXu1eQRk1YqiSIRsV5yWxklKfefzDVHIvwmm 3XgS9qYk8C8Tl34OXuEnR+xm5E5JEdBRhni71M9n1vS5RwTBzXehst8jM87Zo3ugEQJD ajvkOuXo+1ipiVY33LNgJq2IXmKJwnnNSChHeNU3zcQKC9xIvKBTiTzBXtjiNXiaHchO v07V5znPyg1ESdwkGIXKpX1ZfoSTHiFRlIo3hiwN71N5673DemyMRzai0wAFEUTbcUIC 7qtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pwOwbiLf; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si11996152ilu.166.2021.09.24.03.04.56; Fri, 24 Sep 2021 03:05:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pwOwbiLf; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245445AbhIXKEj (ORCPT + 99 others); Fri, 24 Sep 2021 06:04:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245408AbhIXKEj (ORCPT ); Fri, 24 Sep 2021 06:04:39 -0400 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60B50C061574; Fri, 24 Sep 2021 03:03:06 -0700 (PDT) Received: by mail-yb1-xb2c.google.com with SMTP id f133so4595038yba.11; Fri, 24 Sep 2021 03:03:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QVejgvgIUbivqyF/zB9MH9U5S0LClVfNnIpvUNItikM=; b=pwOwbiLfIOsD1XcZjiRAJrF33ma579B98sVu1DU2oquPgI92sJVZWWLbqaV28FzjaB dcjmbeze6xncXnmOrNxCyAj3IyFdLg/ZjsIPNIz8ccMvPeqQFTSzUoe19txujG6gbQQa Du+pGkoNj1I2q5+w0+hpZQ1mOSELvm6XLHLa8x8U3pgfS0v3YUyZfpGiD7zum4xsXzUS /94rJdeSBxkwtwrrDoSjgIYBAA+BiqvrgppICl+iNuGspqiZHwkTkyRd7hRF/weRQLQN ZJpR5a9qLD7CwaLrnlEo6C3qKWA1jFGWuMe2q6kgnzBMXrlrbN73Eyqp43/diKS10aLr BA8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QVejgvgIUbivqyF/zB9MH9U5S0LClVfNnIpvUNItikM=; b=tBMemGmLrwPIFobHntwD9ApxcVtySSeraeZ/tH7FwAS49A/RJ49dysEDL7qlL33gAP aJmnc6L3yYUNgamc7DCG8bPoZvsQOWwCwOl+JijXTuCFQD57m5ZlzTwZzFj29+CRqf+r SVfHEuul+Pa7lAJ3QFDtsa1aj423cFQU3gq81+HRhWloZuDRdcVYyCnEfAhqDwfKohIT kVr2aEUfHlKeNxMc5kYi1WnJ2hxY7rkSWqraOnQO//U4IenP2zJGNtRTxe9HWPio6gIc zTLVEaTOY+oPVjb6+yNMEFfe++QIRR6C865EX4/Ms1Q6MFFLBSCJpv3b0dNBwjVRQo2n V3hA== X-Gm-Message-State: AOAM531VCnEglTF6IOI4F2f5+VrHoNIBeA68gcRRFhYAginRTB1gPAKe 1yiKULRBWAegI032+g8Kmnp1iSVKSpv0yXHIioG3H4g+Yh57rw== X-Received: by 2002:a25:3086:: with SMTP id w128mr12171475ybw.139.1632477784123; Fri, 24 Sep 2021 03:03:04 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: butt3rflyh4ck Date: Fri, 24 Sep 2021 18:02:53 +0800 Message-ID: Subject: Re: There is an array-index-out-bounds bug in detach_capi_ctr in drivers/isdn/capi/kcapi.c To: Arnd Bergmann Cc: Karsten Keil , "David S. Miller" , Networking , LKML , Bluez mailing list , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org > When I last touched the capi code, I tried to remove it all, but we then > left it in the kernel because the bluetooth cmtp code can still theoretically > use it. > > May I ask how you managed to run into this? Did you find the bug through > inspection first and then produce it using cmtp, or did you actually use > cmtp? I fuzz the bluez system and find a crash to analyze it and reproduce it. > If the only purpose of cmtp is now to be a target for exploits, then I > would suggest we consider removing both cmtp and capi for > good after backporting your fix to stable kernels. Obviously > if it turns out that someone actually uses cmtp and/or capi, we > should not remove it. > Yes, I think this should be feasible. Regards butt3rflyh4ck. -- Active Defense Lab of Venustech