Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp402735imi; Thu, 21 Jul 2022 03:28:05 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s32mIxBpK2cRbyxh0y+NXUCO44vpKycOaBgZiRaP2DpB56VYzseIHhUF0OB2ZAaULes1XC X-Received: by 2002:a63:cc48:0:b0:41a:8b06:8aac with SMTP id q8-20020a63cc48000000b0041a8b068aacmr704510pgi.390.1658399285536; Thu, 21 Jul 2022 03:28:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658399285; cv=none; d=google.com; s=arc-20160816; b=kvJSkHonNuqamLxRPAc9k9mNufP1SWK5uDoZ/pY1uYcqz38f9mrRWtroxz/84U6vw5 /dREt6kH52Qlpk+QSnr3qG8stBsOe8X4jIU7seg+aW4ZPNcPK0DGR+aPYTWUR8a+Lowu UgDJS0pEZbn01lM2WHphLz+tfjW4+PD22cafIVKp0AgFujwXSOrCqoMw+yf5ark3/CRP o7LmoVHX64i38IzEvFtz9rP8clw5Zzo6iTNZjXzc/VZqOHCvIaFa3JRLHHpT7se2y4C8 gmQKqyTBuBbjvC6s7bzk9SHfx+Ukylh9Wctny8kX7PRhbjNBP7wwMAMX0HGoT2brKbB8 HkZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id; bh=ELA3eBmRO2IOIbwCCviBFgYW05vLSIlyO7HuuP2fssQ=; b=pzFYaoqLuJ5tUGuBrUBHOrSTb0JdY9uyj3LR7PkV8Gy9YDMa995Oa+IfHt+wiaRS2j ZIAJb3W0vxqpkO2FXJMYYSTs0wk9Er0LwXTAxB0/dQGF9WzklWgRTr8TScUf/pGA/vtD CApFFg+1jkEoPLSuQYZZyiSa/IOpcDUdFb0gJswW/SAyga/UPcxIAdcPp7nilsa8DeD+ eYON1Am5w292u3OS7AJPbB36a204wzkVdMs5w8Wpl1TjS4jB18HY1fF1qNrGjPlgw/ib 4QXxAzD9wxu8alLIaf5Ox53zh4IxAEsCSuOlpd2VJ0gUj4geLW1Q5bVkd97zAOXaQ6Sm PWlg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b21-20020a056a000cd500b005286dbaa34csi2304188pfv.58.2022.07.21.03.27.14; Thu, 21 Jul 2022 03:28:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233167AbiGUKQU (ORCPT + 99 others); Thu, 21 Jul 2022 06:16:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233185AbiGUKQS (ORCPT ); Thu, 21 Jul 2022 06:16:18 -0400 Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 158BF82387 for ; Thu, 21 Jul 2022 03:16:12 -0700 (PDT) Received: (qmail 28149 invoked by uid 990); 21 Jul 2022 10:16:10 -0000 Authentication-Results: giacobini.uberspace.de; auth=pass (plain) Message-ID: <01bb77a3-f138-7488-9ca9-71ec4f7d21a7@eknoes.de> Date: Thu, 21 Jul 2022 12:16:05 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: Luiz Augusto von Dentz , Johan Hedberg , Marcel Holtmann Cc: linux-bluetooth@vger.kernel.org From: =?UTF-8?Q?S=c3=b6nke_Huster?= Subject: [BUG] Null pointer deref in aosp_do_open/msft_do_open Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Bar: + X-Rspamd-Report: MIME_GOOD(-0.1) BAYES_HAM(-0.188866) R_MIXED_CHARSET(0.555555) SUSPICIOUS_RECIPS(1.5) X-Rspamd-Score: 1.766689 Received: from unknown (HELO unkown) (::1) by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Thu, 21 Jul 2022 12:16:10 +0200 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi, My fuzzer found two null pointer exceptions in aosp_do_open and msft_do_open, both triggered by the same frame sequence on the current bluetooth-next master. BUG: kernel NULL pointer dereference, address: 0000000000000070 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 41 Comm: kworker/u3:0 Not tainted 5.18.0-rc7-00850-g33b44d809538 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: hci0 hci_power_on RIP: 0010:aosp_do_open+0x7e/0x230 Call Trace: hci_dev_open_sync+0x98b/0x1060 hci_power_on+0x84/0x350 process_one_work+0x2a6/0x5d0 worker_thread+0x4a/0x3d0 ? process_one_work+0x5d0/0x5d0 kthread+0xed/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 The null pointer deref occurs in the skb length check (net/bluetooth/aosp.c:64), the skb returned previously by __hci_cmd_sync is null: /* LE Get Vendor Capabilities Command */ skb = __hci_cmd_sync(hdev, hci_opcode_pack(0x3f, 0x153), 0, NULL, HCI_CMD_TIMEOUT); if (IS_ERR(skb)) { bt_dev_err(hdev, "AOSP get vendor capabilities (%ld)", PTR_ERR(skb)); return; } /* A basic length check */ if (skb->len < VENDOR_CAPA_BASE_SIZE) Bisected to: [d0b137062b2de75b264b84143d21c98abc5f5ad2] Bluetooth: hci_sync: Rework init stages It occurs when an AOSP resp. MSFT capable controller sends the following two different Command Status (0x0f) for Reset (0x0c03) on initialization: Status Octet: Unknown HCI Command (0x01) 0000 04 0f 04 01 02 03 0c Status Octet: Pending (0x00) 0000 04 0f 04 00 02 03 0c The problem seems to be that __hci_cmd_sync returns null, and not an PTR_ERR. The affected code for msft_do_open is similar (msft.c:128ff): skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp, HCI_CMD_TIMEOUT); if (IS_ERR(skb)) { bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)", PTR_ERR(skb)); return false; } if (skb->len < sizeof(*rp)) { Which one is triggered depends on the device reporting itself as either AOSP or MSFT capable. If it indicates both, it depends on timing. I think that can only be triggered by a malicious or broken Bluetooth controller, but there might be an underlying issue with __hci_cmd_sync returning null instead of an ERR_PTR. Best Sönke