Received: by 2002:ac0:b7d5:0:0:0:0:0 with SMTP id v21csp55946ime;
        Thu, 28 Jul 2022 16:54:46 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1u92ap7rl/QGJ98I0rP7jk1peXiLUc3vOahI29HBwZctJITAsu4EzhYqWGmZUUN3YTC2e1M
X-Received: by 2002:a63:5254:0:b0:41a:4cfc:72ea with SMTP id s20-20020a635254000000b0041a4cfc72eamr846354pgl.403.1659052486323;
        Thu, 28 Jul 2022 16:54:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659052486; cv=none;
        d=google.com; s=arc-20160816;
        b=uBSD4HdTmk9coAaxlTNVjqRGjnKohxay1CTcf8aTe5IFkpNOsZLHXI2a4iJkeQPZkT
         m2mOSYH5Uoj1yaiekTDMJV6zvPKpCAK9e6EakPkNNhrgt6OC64wfL7++xO3CjpXH+0P4
         mBFzThlRB7pZG23XtWIQwqkSORs13bXFMbE/6FtjBztJW26MVTQa+dcNTAI9UVF2t+gm
         s1DxAn2q+BR3O6wGMJIK7KwBNTJIH6dTvukPytgu7vpjf1QHd1GpZFIvmeHx6T7uUiKu
         4g6ISbNrRHNboooSFgjR4LGeKMt194ticuoMAIAq45uW5JWWcFDOP9Ry+eJGIhuK64hs
         W/8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=IWCrW5z2WP1eqXuG9tATReN8ZZMscIwJf4MtedgeAiE=;
        b=Qrp+3Pdjqd6P18r4GGvKJeYtja04X/n86MoKeiKSara/HhhEKV3kpGdfc/zXAWdFH8
         mHUo0+iHhVwoPn41yxelJn/K6TyAsYXBVakA+tTdhL+7zxpuPjbAh0dJdA8J6uI5hi1T
         sSGftko+Vksdag8EhY3F4XQwwCegjcoBjoaAmFWYn5h1N0FJr7rHGpZ/h9Yvhl5RCJdk
         Aj+e5/2+1CS81/XCHqu4gFuCPBYrys9xmMobRvpJXkLaO410ZkwovHw9DDIsYsMrsJPh
         tO6hSAmZqCTEIE2IN8WlZcezAHdFKx/0lOov3KGtHJV5hsfTBO6vM90KyK+re1QGSso5
         kc2A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=kNCNx+vq;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id r13-20020a65498d000000b00412b2911bf7si2139942pgs.198.2022.07.28.16.54.32;
        Thu, 28 Jul 2022 16:54:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=kNCNx+vq;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230007AbiG1Xve (ORCPT <rfc822;sandmor1220@gmail.com>
        + 99 others); Thu, 28 Jul 2022 19:51:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34896 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229940AbiG1Xve (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 28 Jul 2022 19:51:34 -0400
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F4096E2DF
        for <linux-bluetooth@vger.kernel.org>; Thu, 28 Jul 2022 16:51:33 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id f7so3445972pjp.0
        for <linux-bluetooth@vger.kernel.org>; Thu, 28 Jul 2022 16:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=IWCrW5z2WP1eqXuG9tATReN8ZZMscIwJf4MtedgeAiE=;
        b=kNCNx+vqOZ109JRe1H/JGIJlKuJ0WN8PzWu2pElkWQ+RBsUOWTZ/u05ykhNauLOPAp
         ZQJXVfoSVJhDBKY8V0kw3LIWk6JdPCyPPgXmQGL8FWF5dPPjBu2fc3NrGKPcSCvd2Wtn
         RrKut4kZ9yE50puK57cv/F/Ok005HggZK0tMTVqb6OViWBfB5KJlOsvNAnbIkV/2C+Cg
         APnHj+4n/vjC6VwTwfLE8UfQO35bJQ0++xf8YJOiQIjOmhFQKAgWH2/ciVdcDMnmHPZW
         2zu5dnQIIl/qVUN9pJ/4GvAA2giLKZ3HOgJP1whbnJ+yX+BB06nJeVK0AbDL8HF8P78a
         T3oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=IWCrW5z2WP1eqXuG9tATReN8ZZMscIwJf4MtedgeAiE=;
        b=OYZMyc+z9vmR5zQkeiamHCdVV2GIe9WEKvk5RFBlCq7GUSv+elE8WS5/hHiPdAEzzn
         YKoEl7Xl2gKxV/IurTSYo0OpCq8vId2l3AAcZR8OHDP7md9ukCW6RXLipstxKJ1mh1Z1
         79Gt34mO3hwwLWPrmf70EGTprJA2dcKLJYIfi+ZzxCONNebDHNlsdbsl+2RcbhZlkdDI
         +iV6ByDEjjbvO0AkDZ3qzzsJMwnRpazfg99UZZvIe2qECn2VWcRioO3J5wWF6v08Jj19
         cuqHy34MzXV5Ug2GPckh01cn7qCCXqJecdub1LfqrILbP3xwDHTmY/G2AX53/MLlbiwc
         GMXA==
X-Gm-Message-State: ACgBeo2hujRu0WQMnsnK0QPKiOxmgJcV5UOSOLGsqlFKUtcZHLYaAZye
        +Ejzz/kxbnjmQKY8V0dyLGtz4pASuAcP7g==
X-Received: by 2002:a17:90a:5d93:b0:1f1:b730:11bd with SMTP id t19-20020a17090a5d9300b001f1b73011bdmr1127651pji.105.1659052292124;
        Thu, 28 Jul 2022 16:51:32 -0700 (PDT)
Received: from lvondent-mobl4.. (c-71-56-157-77.hsd1.or.comcast.net. [71.56.157.77])
        by smtp.gmail.com with ESMTPSA id g28-20020aa79f1c000000b00528a097aeffsm1307697pfr.118.2022.07.28.16.51.31
        for <linux-bluetooth@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Jul 2022 16:51:31 -0700 (PDT)
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To:     linux-bluetooth@vger.kernel.org
Subject: [PATCH v2] Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()
Date:   Thu, 28 Jul 2022 16:51:30 -0700
Message-Id: <20220728235130.1323745-1-luiz.dentz@gmail.com>
X-Mailer: git-send-email 2.37.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The C standard rules for when struct holes are zeroed out are slightly
weird.  The existing assignments might initialize everything, but GCC
is allowed to (and does sometimes) leave the struct holes uninitialized,
so instead of using yet another variable and copy the QoS settings just
use a pointer to the stored QoS settings.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
v2: Fix author

 net/bluetooth/iso.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 19d003727b50..dded22cde0d1 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1235,7 +1235,7 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
 {
 	struct sock *sk = sock->sk;
 	int len, err = 0;
-	struct bt_iso_qos qos;
+	struct bt_iso_qos *qos;
 	u8 base_len;
 	u8 *base;
 
@@ -1261,12 +1261,12 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
 
 	case BT_ISO_QOS:
 		if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
-			qos = iso_pi(sk)->conn->hcon->iso_qos;
+			qos = &iso_pi(sk)->conn->hcon->iso_qos;
 		else
-			qos = iso_pi(sk)->qos;
+			qos = &iso_pi(sk)->qos;
 
-		len = min_t(unsigned int, len, sizeof(qos));
-		if (copy_to_user(optval, (char *)&qos, len))
+		len = min_t(unsigned int, len, sizeof(*qos));
+		if (copy_to_user(optval, qos, len))
 			err = -EFAULT;
 
 		break;
-- 
2.37.1