Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp437474lqm;
        Wed, 1 May 2024 05:35:41 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWthv1mkFSrsR21BG/98V5e3xCvN27Xd4ROuNDoNQbm2nBWY9N0ZloAxr4GSG1iNdmTPix80beVx+BCzl4jBrJx0UpC25+Vm6ROt4puSg==
X-Google-Smtp-Source: AGHT+IF8iVR3SPmT7xS3pV5FUSLcMsoGslyDBQ5jeaxQ8pE3JALFZbe/tsJOCRHQHBsmzCe3D4Ec
X-Received: by 2002:a05:6a21:1a2:b0:1af:5eb7:3e1e with SMTP id le34-20020a056a2101a200b001af5eb73e1emr2570668pzb.54.1714566941400;
        Wed, 01 May 2024 05:35:41 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714566941; cv=pass;
        d=google.com; s=arc-20160816;
        b=Qt1w55Bg2U1Q5O1T4KYTXNGKzD0dTSRwHUqtRJGiW06BTlVxwhN501QEXozFNbp7hu
         k9cCtx+t+PjuXZ7lKEbFbLECZ8gCssSDDPKMLH6oT5DmhiuVK0Jvs4o/Y5yjBZM1rqfT
         pNUlzGm0CsUN8lio56mUfIx1BcFHk7pwIhLaP/+x8ggTHAyTIka2yB8F3GMNwQaNPfR1
         HEOltU/rC7nLMjEoxoy0DM8XvzYwi1mCpZdOFCDrugVgOepolxTyKoVByETu0qtlSlT7
         Pf0A68rkc98h2UxXD7XISTvaTOXwMT8x+XMeRCpiWq/8phntPZ9+yw3pRXPFbUx3cvzw
         dtQw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Bi4zLRhjN+C0wrr7KspUhimTn/cXKIIrBL1k/FSNZgM=;
        fh=Y/qzG6bL/bjfiHEMloY+ua/oEQHiJpBJ7taoH0Lnl4o=;
        b=Wh8XK7IxBMpj2NElFUPV4VNzpM5YybSd6bKZLfsX9U8Ov7cNIKQyRFFXI1SmdNTjsl
         Q/JTWdgw6chQGnUtIfQIFkDZUlBYt4BIMT1JsR+BTkr4kjmtH70ccyh66QBlLeNQjXDt
         2pmf/Su/lLP3rrGvu1FP4v6SpcHToxfTq/DXUjby3pdLVKWGFn/uxhSDAqnKcfyPXF95
         OcfBAwGW+Ls2x2mDvH5KfGwQWCYKN7+b8fr5+MxiSClHDfAWAxlnmejiZVMPdQWETj/I
         vwGtHhFYODKcYwl5/jFUXDH81wtSc+z4Quxxjw18P15JcmbZzBiHjn/wWNXyWPnszBMB
         rXiQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vo3LGkDV;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id q3-20020a056a00088300b006edc97fdb8dsi24276064pfj.70.2024.05.01.05.35.41
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 01 May 2024 05:35:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vo3LGkDV;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id D70AF284294
	for <linux.lists.archive@gmail.com>; Wed,  1 May 2024 12:35:40 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4A7011272A5;
	Wed,  1 May 2024 12:35:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Vo3LGkDV"
X-Original-To: linux-bluetooth@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95FDF1DFF0;
	Wed,  1 May 2024 12:35:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714566914; cv=none; b=e54FHMkyr028BChRAGpOSf5RaqJK7s6/sccY/UA3PzzLW3+NlJ4qd9jzt7IlWqNmn8pNFwA6q9L0RILgERhyLpsJR1FUqpXVF7/XKf3ng7Bv/p5NRqRd/t+HwkowgbmCPJv12noTzW/MqQ3TPMOu0QzD0BzFywZwlGBmzDCrL2k=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714566914; c=relaxed/simple;
	bh=yxAjPYd7QIYgUwysaKCWGKv4Li4Z9nbUIl7p5X3foOg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=UCGxS53p7K3V5Gjhic2wRypW+qOfdyugO1Nxvv4k/7ZdUZIuj9Oj44YozXHhlSlhPywTx1njdJXfIfSU4y30sbhT8Cygqi67YfTjAVcke3aW+jhLicaOda1pm7I41dP6ZTO45L/nhwLqY0hMHWTLeezUJl+koGmHCXO599ETZZ0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Vo3LGkDV; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 323C0C4AF18;
	Wed,  1 May 2024 12:35:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1714566914;
	bh=yxAjPYd7QIYgUwysaKCWGKv4Li4Z9nbUIl7p5X3foOg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Vo3LGkDVfYGH/7nw9R4n2TL5EiDNmaR0GP3B/IVekpMdxCdNHqaM0rZ3snErJKqBD
	 Px/a5XoJUs+Scem+HuWa4IogT80RP3Vq034hqM63eyiEq5jRDXrh6HB9CaQBPrSEVp
	 JZWjjvQumETidV3eAl5fJ0+2UTxjw+3fLm8aHZF1rC6xt5Jh8suOpJV7oxoYV5ckWi
	 7aI34IJrApPT7ObWWbH8OTheCCUZF+hrCe8H7do7eDmUnNZQc2+gMjuTx6FdAeRIXf
	 KUUpeSk+fDM8u2+ffuQlbDdZH9X4Qc18O2um1v1gavJBUYQyWJeC2sKXvHnZVUN4/+
	 wjlqbhqEx9N1w==
Received: from johan by xi.lan with local (Exim 4.97.1)
	(envelope-from <johan+linaro@kernel.org>)
	id 1s29B6-000000001ky-3dgV;
	Wed, 01 May 2024 14:35:16 +0200
From: Johan Hovold <johan+linaro@kernel.org>
To: Marcel Holtmann <marcel@holtmann.org>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: Janaki Ramaiah Thota <quic_janathot@quicinc.com>,
	linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Johan Hovold <johan+linaro@kernel.org>,
	stable@vger.kernel.org
Subject: [PATCH 1/5] Bluetooth: qca: fix info leak when fetching fw build id
Date: Wed,  1 May 2024 14:34:52 +0200
Message-ID: <20240501123456.6712-2-johan+linaro@kernel.org>
X-Mailer: git-send-email 2.43.2
In-Reply-To: <20240501123456.6712-1-johan+linaro@kernel.org>
References: <20240501123456.6712-1-johan+linaro@kernel.org>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Add the missing sanity checks and move the 255-byte build-id buffer off
the stack to avoid leaking stack data through debugfs in case the
build-info reply is malformed.

Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC")
Cc: stable@vger.kernel.org	# 5.12
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
---
 drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++----
 drivers/bluetooth/btqca.h |  1 -
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index 38a770278103..a508d79d9aaa 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -99,7 +99,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
 {
 	struct sk_buff *skb;
 	struct edl_event_hdr *edl;
-	char cmd, build_label[QCA_FW_BUILD_VER_LEN];
+	char *build_label;
+	char cmd;
 	int build_lbl_len, err = 0;
 
 	bt_dev_dbg(hdev, "QCA read fw build info");
@@ -114,6 +115,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
 		return err;
 	}
 
+	if (skb->len < sizeof(*edl)) {
+		err = -EILSEQ;
+		goto out;
+	}
+
 	edl = (struct edl_event_hdr *)(skb->data);
 	if (!edl) {
 		bt_dev_err(hdev, "QCA read fw build info with no header");
@@ -129,14 +135,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
 		goto out;
 	}
 
+	if (skb->len < sizeof(*edl) + 1) {
+		err = -EILSEQ;
+		goto out;
+	}
+
 	build_lbl_len = edl->data[0];
-	if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) {
-		memcpy(build_label, edl->data + 1, build_lbl_len);
-		*(build_label + build_lbl_len) = '\0';
+
+	if (skb->len < sizeof(*edl) + 1 + build_lbl_len) {
+		err = -EILSEQ;
+		goto out;
 	}
 
+	build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL);
+	if (!build_label)
+		goto out;
+
 	hci_set_fw_info(hdev, "%s", build_label);
 
+	kfree(build_label);
 out:
 	kfree_skb(skb);
 	return err;
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index 49ad668d0d0b..215433fd76a1 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -48,7 +48,6 @@
 #define get_soc_ver(soc_id, rom_ver)	\
 	((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver)))
 
-#define QCA_FW_BUILD_VER_LEN		255
 #define QCA_HSP_GF_SOC_ID			0x1200
 #define QCA_HSP_GF_SOC_MASK			0x0000ff00
 
-- 
2.43.2