Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp434210imn;
        Fri, 29 Jul 2022 11:23:28 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1sZjNfh9i5hUyNjYYtgRINSoHYqrZIuZm8gmI/eM94wUmk4sRWQP+R66nBcbprDwT4C55Ft
X-Received: by 2002:a05:6402:280b:b0:43b:5d75:fcfa with SMTP id h11-20020a056402280b00b0043b5d75fcfamr4698838ede.114.1659119008667;
        Fri, 29 Jul 2022 11:23:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659119008; cv=none;
        d=google.com; s=arc-20160816;
        b=jadAMnTwQbb8HQlR72e9FPp/fk62tHpTXnobwmOyZcUvynNR0Jz8wM4wdthGrKNe+9
         Le6LqYdNmyDlIIiLCLILfXEmJKSZQhzWTv+9PydFN4w3mkIzKfPYBNylw959zB8GId+U
         +L4BpyOb8sjvFf+7FfrAX9EedJb7VYhu7o9BCT3ycfT7aCIId2Is8xJJBCYvuMZY7DmT
         0is9TRfXZX9xzPspox3NsvhxysprKxlSiqpgNqb2/CSrWDu0p2RFCZYAw7TtsUjA5gXx
         V7I3GW/8BQzqtcv+RvaW+PYLeCneLPmoV93Nw7kfbkr2Dp/xrdrBt/+jnga1m66gpsLF
         IwoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=g970CJ/QxOtGbj0HnyeklP/mSzB8FTNV36hJH87eGJs=;
        b=dmoHWR0FArstSexHhiFfLnW7UgWuCvegMzSSCLccVpmh+WEJJnxuO/7MDFuqZqOTFY
         KZ5mlj+OrbUxziXavZvzL+dpc/hmvAmW6XXV81KnOy/IAtfEdW4Osh6tYTxX8VjkZxi/
         LTCJyCppsy8J5034bSKoBuEck8hvIIKP9OjvAiaXVHeCcQZ8YdcWn2dhh2fRzABUOZVL
         rZ6oxoYf/wODObS0Zfci+/ruhpIdHqrXyZYQChi02NWMfCFtRXWmitl/KOAUPJLuwQif
         lVwJ6uODKci91Zva5Ji7S90wcHwAzp7r00kDmiN2/n18lqALxRDFkx+TfiYKVLttYBp5
         ZxkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=TSSx5w20;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id wv6-20020a170907080600b00706b9787b43si4463060ejb.319.2022.07.29.11.22.45;
        Fri, 29 Jul 2022 11:23:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=TSSx5w20;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237315AbiG2SKq (ORCPT <rfc822;sandmor1220@gmail.com>
        + 99 others); Fri, 29 Jul 2022 14:10:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47082 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237042AbiG2SKp (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 29 Jul 2022 14:10:45 -0400
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C493E17AA7
        for <linux-bluetooth@vger.kernel.org>; Fri, 29 Jul 2022 11:10:44 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id w7so5263965ply.12
        for <linux-bluetooth@vger.kernel.org>; Fri, 29 Jul 2022 11:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=g970CJ/QxOtGbj0HnyeklP/mSzB8FTNV36hJH87eGJs=;
        b=TSSx5w20zD14HDbmuC0lD2GJvrYm4ymp9RUqQmt+wAtiRRrl6g+890UL+tP8vQduoR
         ohYsxw5Vu+uilMgyBSJQfGr57XnQ8o2qgDSDq2itEkjzfqLawIzv0Dz2QWEMFoYlOaej
         uP0eHoRRTnP/6ZgrTejeZrvBEaYylM++nw9OzyCN9dKIs3NdtXuh8v1UK/HuVSX7JbiT
         FgJxYRkclL+80TfHGGaPmwKQcrgFsFUJ1T0Mr1GVjM1IFx3/s144kl+8qum4mt78Kjat
         pypwI4cC0FX7eHfpiK9F135LJlfpu2sJm9z03vTibUHdhc3LCDlRZy27ASgQhdzmnMbw
         SJJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=g970CJ/QxOtGbj0HnyeklP/mSzB8FTNV36hJH87eGJs=;
        b=aFOuib9lfvjPQouPfWp/7xTGawC2eEMJ30vE+Ngsi2QiSNT0TcxZVsqy5/dL+CZ+ky
         3JWKHgw3rXLFCPmtS+ciFeGhi+GTK9S+y6/1eHRFXUEnvh1Y8RqEUaPGci7CjJuV5YEk
         XPagXIxNKpvp0DJC6cD13xqe7flWOAVgfeD5cKWmLPYBiYTc4CIOZDZ1od0+MvdfyzAV
         dURPliRCVMAHXfvr5S49uEw+QLpMxYTlsPfiw1kMc/sziyYyqMzG2QUzcL/gIxfvV7+a
         xDCwZDdxXo/qKvTmwt3dx63PxW9EM5aoSKqioV6LPgCK1cFHP/6BHBwzvlyN4dN8F27f
         azSw==
X-Gm-Message-State: ACgBeo1jdWRCDhhTA0iAbG23P/xRAdKcUa0GMMVtdT3ikcP79irN62V6
        ZMgZtShzUWYnkJ9XC+MzMWpfcXcZHepTKQ==
X-Received: by 2002:a17:90a:ab8e:b0:1f2:1ffe:51ed with SMTP id n14-20020a17090aab8e00b001f21ffe51edmr5933396pjq.28.1659118243496;
        Fri, 29 Jul 2022 11:10:43 -0700 (PDT)
Received: from lvondent-mobl4.. (c-71-56-157-77.hsd1.or.comcast.net. [71.56.157.77])
        by smtp.gmail.com with ESMTPSA id mn20-20020a17090b189400b001f001acc0e2sm6285279pjb.41.2022.07.29.11.10.42
        for <linux-bluetooth@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Jul 2022 11:10:42 -0700 (PDT)
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To:     linux-bluetooth@vger.kernel.org
Subject: [PATCH] Bluetooth: ISO: Fix memory corruption
Date:   Fri, 29 Jul 2022 11:10:41 -0700
Message-Id: <20220729181041.1571220-1-luiz.dentz@gmail.com>
X-Mailer: git-send-email 2.37.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The following memory corruption can happen since iso_pinfo.base size
did not account for its headers (4 bytes):

net/bluetooth/eir.c
    76          memcpy(&eir[eir_len], data, data_len);
                            ^^^^^^^         ^^^^^^^^
    77          eir_len += data_len;
    78
    79          return eir_len;
    80  }

The "eir" buffer has 252 bytes and data_len is 252 but we do a memcpy()
to &eir[4] so this can corrupt 4 bytes beyond the end of the buffer.

Fixes: f764a6c2c1e4: "Bluetooth: ISO: Add broadcast support"
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/bluetooth/iso.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index dded22cde0d1..70c2dd30cb13 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -44,6 +44,9 @@ static void iso_sock_kill(struct sock *sk);
 /* ----- ISO socket info ----- */
 #define iso_pi(sk) ((struct iso_pinfo *)sk)
 
+#define EIR_SERVICE_DATA_LENGTH 4
+#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+
 struct iso_pinfo {
 	struct bt_sock		bt;
 	bdaddr_t		src;
@@ -57,7 +60,7 @@ struct iso_pinfo {
 	__u32			flags;
 	struct bt_iso_qos	qos;
 	__u8			base_len;
-	__u8			base[HCI_MAX_PER_AD_LENGTH];
+	__u8			base[BASE_MAX_LENGTH];
 	struct iso_conn		*conn;
 };
 
-- 
2.37.1