Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp2007704lqe; Tue, 9 Apr 2024 07:12:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXAeXuQY5EqCFSLnDgEP8NmDITt2CASZ9PpivAN/iMUoNO7wwO1WRgsCwAgJM1/2JQ10tP1lXs7A5VfIZiaiES7gMzO7C1ZLAVi/SEFaA== X-Google-Smtp-Source: AGHT+IFCblfr2DxMdYl+dITnJ+ULmn5tcNa4jZivmt/3Aacsklx+ieXdsxjNmR4H6o4rHBWTAbGp X-Received: by 2002:a17:902:b7c9:b0:1e3:e0ca:d8a3 with SMTP id v9-20020a170902b7c900b001e3e0cad8a3mr7442595plz.6.1712671935622; Tue, 09 Apr 2024 07:12:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712671935; cv=pass; d=google.com; s=arc-20160816; b=gvPpW2P++JYJNXm4s/ZfOWbvhPDI3Ckfa1EBxkkWShvdC4VPJRdyuxwpzbfIsl8DID UIpp1hFcApn8R9GDe4NKasstAA6BbNDOnon+tM6l7zKSqh/+gV4JJ2zbw7xq4yDquoqn F4YuEuFdiAyfp14VDkCFOey1eX7kwmzzieAv6zdLTg1mfP2I34ttXVCH3z0Pee7LVctp gq/h2YhCTFxsoOQvNzq2BqOxkGGMGKb/OB1au0hfRxB/qzUl1zVFXBh978Br1nQ26ix4 jTYFXDRaHf1lPRByZofTfjULGkjTC1kUt+IgX1j/B0ZCPeihfWo7nkegWowzAvF9Fp6+ kggQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=Yq7Ve/MoVtY976kXQjQT0Gp8ZXknYj2h3YGm3jklcHo=; fh=Ly3Lr/148UehR6nBZHl0ho8rciRhtnB19m/9h55hvHE=; b=xWl/pDbno3Z/O6EyD8WjL/AV8J68oQU+8k9qVK3yfnsOZ/tGVav2PojP9iPCJSAh/t vKNNyvr2G8M0mB1k+nAHw/bc3gFERnobOT9SYrSBB7nLaYQG7i0JBP8VmyYzBoeIIkzI DDfrL09FJA2MPeKo0r9BctO95U5UXI7LEAWHTAXv2362QJDOoOBVd+GZTFkoJ4pZCjgz WVyS4N+u6mO77jdU53FQ3mibsXVIz/uggfz9scQqjSFj/IRGhZGeC7uuUYQceDOnABBu ChQg3o4oFMZ2o4bDJLIkkppNjJmBWUp6yrifFmpzu8hQpIMScQwbPq3yQPBkWGuGFIrd HePg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LBuRzoDW; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-3392-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3392-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id m13-20020a170902f64d00b001debbc0f034si9040526plg.98.2024.04.09.07.12.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 07:12:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-3392-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LBuRzoDW; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-3392-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3392-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4F34B282708 for ; Tue, 9 Apr 2024 14:12:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0BDF712FB12; Tue, 9 Apr 2024 14:12:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LBuRzoDW" X-Original-To: linux-bluetooth@vger.kernel.org Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BFF5A12F5A0; Tue, 9 Apr 2024 14:12:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712671926; cv=none; b=mN/nbAPjQPckq5qeKxkOS8i4wxaar6mmSC6l6Zv+R/wyVBMq/ANK8wnhml5oFQXJxPQtl7QvpvLFtnVek5XJnH7PgYMUl9DN5bW2QjWYCKRzDvCYiaEj0bOgf+nN8sOwiAom49dfrSPEbxx7qtsF01+L/0jmxt0cv0MTQTMupmM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712671926; c=relaxed/simple; bh=Pb3U8o0znOa+FZrFMgY8KaP+XUwl/EDu8Wcwfm7QUUM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=EtZLSueHVd5UqTYXBW4A75YnnFFAtBbnR+jmfk0fvp6U1x33JJcvGHI1shFC+BnlzN/XDuJNlVtGvjtSRedSIv98fEY6250am/AqEvAd3hzddVGDZLNRuHAfWF/5WvIrA2aqlheeTjzyo/73yLCkDHIqgCssOeqpC7/MJ0UYVnI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LBuRzoDW; arc=none smtp.client-ip=209.85.208.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2d8a24f8a3cso12861491fa.1; Tue, 09 Apr 2024 07:12:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712671923; x=1713276723; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Yq7Ve/MoVtY976kXQjQT0Gp8ZXknYj2h3YGm3jklcHo=; b=LBuRzoDWuSO277Om9dbcVaTEPdeuJoUlgB4e7qKErAO0vWtCvEQmM/sowiY0saXUMo GVyrRKSBE06/Yd0b03rVmKrtpqm5QhsO8hYz91ix631/nfW+usRz3H6qiyFq+ixhcnJz iyFb+D8px5TRzRuJcl4KxS2rb5ZMjS/08oUHgaFvhWhyKLEFliUm9QlEmMxufgGqnHkq 7rpbMJVlRFgubjSOQF8CD2cGvBm8Y+mCwvzPcQYTS6IUDTd9He3Z6Jhg4QwejQyUHJpu ZFDlrCtFwUodPLPBrvi71VL0zwNkRP2E1HTEJWCnD9sWnUgGF4cKYFRbiWiS9H7POsjm HHOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712671923; x=1713276723; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Yq7Ve/MoVtY976kXQjQT0Gp8ZXknYj2h3YGm3jklcHo=; b=fKc0kuDoEtG/NHXlxoUb9QiQQCU9Z5ViyMK/5GxqSnIIo9p2/RTJhw8SuXcFhBzNDz iY6yP17yjmOJYiBaJIbGPmTlEjGVd5g6KbnSlh/OPm17R/F1FX4csLbYh/ubLcKdR5o5 PGg7czQII8Nr+t9rYe6spMMzYyVaiMajtMBDysDrBPhCTpBZPNAglQ4wGmLgGIhm6AGX LEXh7N2a2hstSg7gpM27m+tt0R37l7pHx5cFpLXXoUfc7PuitwMsD8rE9DQfIMX4t3z0 pIZMCTo+pHbYdglxiqonT1wBEvV0VjltRc17TOIrWQ7oFbBGYR2iWhCrPMoS/esRwzXb 1sBg== X-Forwarded-Encrypted: i=1; AJvYcCVeN2pod8QLBs7mqvk8BrndHyYsO1OymGRbKgAn3+xzdTf7Lh+dsCBsq8/Fs3NHbhia0eZMKC5uvIO/9I5sUm5fJKHGZJzfWJm+MjVoKxvSB69uMSycSYFUPsoZm9tY1EprqMYjs/yuelVDZDdyfhxNPrIkLEvlO0cCnIZYYDSac/hJtjX+ X-Gm-Message-State: AOJu0YzPxtpfoPF03aW7e0Kf6vLiqSz734VnpmKMOaXUtLlrJfseVnln ZqadjUYic09RVsc2ZIEM7I8p/LpS7fOpWvBdgkisc5uYgN1VKCCqAUo1pBe+1Y5t8P4hrwRqAMX 5wL+pLsBxVxSuDLsvVy+mR4fs9Ao= X-Received: by 2002:a2e:9602:0:b0:2d8:1267:3202 with SMTP id v2-20020a2e9602000000b002d812673202mr7627397ljh.10.1712671922638; Tue, 09 Apr 2024 07:12:02 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <7cf0848b-f44c-42ad-848a-369a249bff77@gmail.com> In-Reply-To: From: Luiz Augusto von Dentz Date: Tue, 9 Apr 2024 10:11:50 -0400 Message-ID: Subject: Re: [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt To: Edward Adam Davis Cc: eric.dumazet@gmail.com, edumazet@google.com, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org, pmenzel@molgen.mpg.de, syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Edward, On Tue, Apr 9, 2024 at 9:36=E2=80=AFAM Edward Adam Davis w= rote: > > If optlen < sizeof(u32) it will trigger oob, so take the min of them. > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis > --- > net/bluetooth/rfcomm/sock.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c > index b54e8a530f55..42c55c756b51 100644 > --- a/net/bluetooth/rfcomm/sock.c > +++ b/net/bluetooth/rfcomm/sock.c > @@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *= sock, int optname, > > switch (optname) { > case RFCOMM_LM: > - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { > + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32= ), optlen))) { > err =3D -EFAULT; > break; > } > -- > 2.43.0 This has been dealt with already: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.gi= t/commit/?id=3Dee77912bc0bbd78fceb785a81cc9108fa954982f --=20 Luiz Augusto von Dentz