Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp1277428iol; Fri, 10 Jun 2022 04:18:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwWWb+soK45rR0M4c1dM4dC3eHigImrLD7gzqfV79ZMQeZBt+N6Nk7YYMPj7KjDM+30aa9i X-Received: by 2002:a05:6402:4309:b0:42f:9ff8:3f11 with SMTP id m9-20020a056402430900b0042f9ff83f11mr41239246edc.67.1654859905254; Fri, 10 Jun 2022 04:18:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654859905; cv=none; d=google.com; s=arc-20160816; b=YtVUzpD1jqabQw+9WlwqO7t0fiHJkhvvCDn9AtN5MfH32UpFksKcpxiwjlFDVEImJX B4SvlFFjFYswsP3Xy1DONbarTMQXueNaCVUatdGGXQqk4hLEHgHp53A7RcKX515fL8xP 1LmcXWPAeYadUqeLP3ORYarTcwU63Rs1P5aSCj/8kJV00FJJ7Wl85P1/Inb8bN2EhRIb Lit/kyEu0udDvWO6Mn9Z3HsWOg0uB/Ao5Cnp5w7ESxouInS5scMQjI0AYUBRZa8LKYyD fP4zRB2/pFTPJXYcyRT+Dz+NkZPG/qU44WCcNl6UrQL/pOoH/R7TCdB0Xz5IBxpI3bk5 1INQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=8oSWPCSNWOxMM+ktpUh7V6t2RoLOMofANYxs8TAuoLI=; b=sYncaIAcvtFhrq5DcSHP6juvswwyxr+s9peTp8rnfWHdndpHgUe0DjP8uVRuFPhzd7 yIL8uGq5J+t7gUVlKtEwun4EaKt9ohIQP551DXCPdy8IWjTQd/jWjwMKwM2CdjMXHSu2 1zrVH3ZuLLU8c1yGypl1oovPZcXEynxlgXAF+5hzgKacfkFVo+hBwB9H+upfLu7puRzu HgUrKMbCCMoZvae+QmsLAOqzh0k0AF9SMy9Cz3ucOzh4pymtSuYdNI4j3AaLaQFtkSY/ gN3gtjLu8++SbrcMMpa51GKTxbat32ousmkE4IQFsEiAASW46Y5UvWrf212mNrDqhBdK VqDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dp20-20020a170906c15400b006f92ef03c83si1510764ejc.609.2022.06.10.04.17.39; Fri, 10 Jun 2022 04:18:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345484AbiFJLIw (ORCPT + 99 others); Fri, 10 Jun 2022 07:08:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346967AbiFJLIW (ORCPT ); Fri, 10 Jun 2022 07:08:22 -0400 Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98E521451E1 for ; Fri, 10 Jun 2022 04:08:18 -0700 (PDT) Received: (qmail 14172 invoked by uid 990); 10 Jun 2022 11:08:16 -0000 Authentication-Results: giacobini.uberspace.de; auth=pass (plain) From: Soenke Huster To: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Soenke Huster , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] Bluetooth: RFCOMM: Use skb_trim to trim checksum Date: Fri, 10 Jun 2022 13:07:49 +0200 Message-Id: <20220610110749.110881-1-soenke.huster@eknoes.de> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Bar: / X-Rspamd-Report: BAYES_HAM(-2.920938) R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1) MID_CONTAINS_FROM(1) SUSPICIOUS_RECIPS(1.5) X-Rspamd-Score: -0.020938 Received: from unknown (HELO unkown) (::1) by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Fri, 10 Jun 2022 13:08:16 +0200 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org As skb->tail might be zero, it can underflow. This leads to a page fault: skb_tail_pointer simply adds skb->tail (which is now MAX_UINT) to skb->head. BUG: unable to handle page fault for address: ffffed1021de29ff #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:1751) By using skb_trim instead of the direct manipulation, skb->tail is reset. Thus, the correct pointer to the checksum is used. Signed-off-by: Soenke Huster --- v2: Clarified how the bug triggers, minimize code change net/bluetooth/rfcomm/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index 7324764384b6..443b55edb3ab 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -1747,7 +1747,7 @@ static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, type = __get_type(hdr->ctrl); /* Trim FCS */ - skb->len--; skb->tail--; + skb_trim(skb, skb->len - 1); fcs = *(u8 *)skb_tail_pointer(skb); if (__check_fcs(skb->data, type, fcs)) { -- 2.36.1