Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp402735imi;
        Thu, 21 Jul 2022 03:28:05 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1s32mIxBpK2cRbyxh0y+NXUCO44vpKycOaBgZiRaP2DpB56VYzseIHhUF0OB2ZAaULes1XC
X-Received: by 2002:a63:cc48:0:b0:41a:8b06:8aac with SMTP id q8-20020a63cc48000000b0041a8b068aacmr704510pgi.390.1658399285536;
        Thu, 21 Jul 2022 03:28:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658399285; cv=none;
        d=google.com; s=arc-20160816;
        b=kvJSkHonNuqamLxRPAc9k9mNufP1SWK5uDoZ/pY1uYcqz38f9mrRWtroxz/84U6vw5
         /dREt6kH52Qlpk+QSnr3qG8stBsOe8X4jIU7seg+aW4ZPNcPK0DGR+aPYTWUR8a+Lowu
         UgDJS0pEZbn01lM2WHphLz+tfjW4+PD22cafIVKp0AgFujwXSOrCqoMw+yf5ark3/CRP
         o7LmoVHX64i38IzEvFtz9rP8clw5Zzo6iTNZjXzc/VZqOHCvIaFa3JRLHHpT7se2y4C8
         gmQKqyTBuBbjvC6s7bzk9SHfx+Ukylh9Wctny8kX7PRhbjNBP7wwMAMX0HGoT2brKbB8
         HkZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:subject:from:cc:to
         :content-language:user-agent:mime-version:date:message-id;
        bh=ELA3eBmRO2IOIbwCCviBFgYW05vLSIlyO7HuuP2fssQ=;
        b=pzFYaoqLuJ5tUGuBrUBHOrSTb0JdY9uyj3LR7PkV8Gy9YDMa995Oa+IfHt+wiaRS2j
         ZIAJb3W0vxqpkO2FXJMYYSTs0wk9Er0LwXTAxB0/dQGF9WzklWgRTr8TScUf/pGA/vtD
         CApFFg+1jkEoPLSuQYZZyiSa/IOpcDUdFb0gJswW/SAyga/UPcxIAdcPp7nilsa8DeD+
         eYON1Am5w292u3OS7AJPbB36a204wzkVdMs5w8Wpl1TjS4jB18HY1fF1qNrGjPlgw/ib
         4QXxAzD9wxu8alLIaf5Ox53zh4IxAEsCSuOlpd2VJ0gUj4geLW1Q5bVkd97zAOXaQ6Sm
         PWlg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b21-20020a056a000cd500b005286dbaa34csi2304188pfv.58.2022.07.21.03.27.14;
        Thu, 21 Jul 2022 03:28:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233167AbiGUKQU (ORCPT <rfc822;sandmor1220@gmail.com>
        + 99 others); Thu, 21 Jul 2022 06:16:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45756 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233185AbiGUKQS (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 21 Jul 2022 06:16:18 -0400
Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 158BF82387
        for <linux-bluetooth@vger.kernel.org>; Thu, 21 Jul 2022 03:16:12 -0700 (PDT)
Received: (qmail 28149 invoked by uid 990); 21 Jul 2022 10:16:10 -0000
Authentication-Results: giacobini.uberspace.de;
        auth=pass (plain)
Message-ID: <01bb77a3-f138-7488-9ca9-71ec4f7d21a7@eknoes.de>
Date:   Thu, 21 Jul 2022 12:16:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Content-Language: en-US
To:     Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Marcel Holtmann <marcel@holtmann.org>
Cc:     linux-bluetooth@vger.kernel.org
From:   =?UTF-8?Q?S=c3=b6nke_Huster?= <soenke.huster@eknoes.de>
Subject: [BUG] Null pointer deref in aosp_do_open/msft_do_open
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Bar: +
X-Rspamd-Report: MIME_GOOD(-0.1) BAYES_HAM(-0.188866) R_MIXED_CHARSET(0.555555) SUSPICIOUS_RECIPS(1.5)
X-Rspamd-Score: 1.766689
Received: from unknown (HELO unkown) (::1)
        by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Thu, 21 Jul 2022 12:16:10 +0200
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
        MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi,

My fuzzer found two null pointer exceptions in aosp_do_open and msft_do_open, both triggered by the
same frame sequence on the current bluetooth-next master.

      BUG: kernel NULL pointer dereference, address: 0000000000000070
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0 
      Oops: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 0 PID: 41 Comm: kworker/u3:0 Not tainted 5.18.0-rc7-00850-g33b44d809538 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: hci0 hci_power_on
      RIP: 0010:aosp_do_open+0x7e/0x230
      Call Trace:
       <TASK>
       hci_dev_open_sync+0x98b/0x1060
       hci_power_on+0x84/0x350
       process_one_work+0x2a6/0x5d0
       worker_thread+0x4a/0x3d0
       ? process_one_work+0x5d0/0x5d0
       kthread+0xed/0x120
       ? kthread_complete_and_exit+0x20/0x20
       ret_from_fork+0x22/0x30
       </TASK>

The null pointer deref occurs in the skb length check (net/bluetooth/aosp.c:64), the skb returned
previously by __hci_cmd_sync is null: 

	/* LE Get Vendor Capabilities Command */
	skb = __hci_cmd_sync(hdev, hci_opcode_pack(0x3f, 0x153), 0, NULL,
			     HCI_CMD_TIMEOUT);
	if (IS_ERR(skb)) {
		bt_dev_err(hdev, "AOSP get vendor capabilities (%ld)",
			   PTR_ERR(skb));
		return;
	}

	/* A basic length check */
	if (skb->len < VENDOR_CAPA_BASE_SIZE)
	
Bisected to: [d0b137062b2de75b264b84143d21c98abc5f5ad2] Bluetooth: hci_sync: Rework init stages

It occurs when an AOSP resp. MSFT capable controller sends the following two different
Command Status (0x0f) for Reset (0x0c03) on initialization:

Status Octet: Unknown HCI Command (0x01)
0000   04 0f 04 01 02 03 0c

Status Octet: Pending (0x00)
0000   04 0f 04 00 02 03 0c

The problem seems to be that __hci_cmd_sync returns null, and not an PTR_ERR. The affected code
for msft_do_open is similar (msft.c:128ff):

	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
			     HCI_CMD_TIMEOUT);
	if (IS_ERR(skb)) {
		bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)",
			   PTR_ERR(skb));
		return false;
	}

	if (skb->len < sizeof(*rp)) {

Which one is triggered depends on the device reporting itself as either AOSP or MSFT capable.
If it indicates both, it depends on timing.

I think that can only be triggered by a malicious or broken Bluetooth controller, but there
might be an underlying issue with __hci_cmd_sync returning null instead of an ERR_PTR.

Best
Sönke