Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp437474lqm; Wed, 1 May 2024 05:35:41 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWthv1mkFSrsR21BG/98V5e3xCvN27Xd4ROuNDoNQbm2nBWY9N0ZloAxr4GSG1iNdmTPix80beVx+BCzl4jBrJx0UpC25+Vm6ROt4puSg== X-Google-Smtp-Source: AGHT+IF8iVR3SPmT7xS3pV5FUSLcMsoGslyDBQ5jeaxQ8pE3JALFZbe/tsJOCRHQHBsmzCe3D4Ec X-Received: by 2002:a05:6a21:1a2:b0:1af:5eb7:3e1e with SMTP id le34-20020a056a2101a200b001af5eb73e1emr2570668pzb.54.1714566941400; Wed, 01 May 2024 05:35:41 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714566941; cv=pass; d=google.com; s=arc-20160816; b=Qt1w55Bg2U1Q5O1T4KYTXNGKzD0dTSRwHUqtRJGiW06BTlVxwhN501QEXozFNbp7hu k9cCtx+t+PjuXZ7lKEbFbLECZ8gCssSDDPKMLH6oT5DmhiuVK0Jvs4o/Y5yjBZM1rqfT pNUlzGm0CsUN8lio56mUfIx1BcFHk7pwIhLaP/+x8ggTHAyTIka2yB8F3GMNwQaNPfR1 HEOltU/rC7nLMjEoxoy0DM8XvzYwi1mCpZdOFCDrugVgOepolxTyKoVByETu0qtlSlT7 Pf0A68rkc98h2UxXD7XISTvaTOXwMT8x+XMeRCpiWq/8phntPZ9+yw3pRXPFbUx3cvzw dtQw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=Bi4zLRhjN+C0wrr7KspUhimTn/cXKIIrBL1k/FSNZgM=; fh=Y/qzG6bL/bjfiHEMloY+ua/oEQHiJpBJ7taoH0Lnl4o=; b=Wh8XK7IxBMpj2NElFUPV4VNzpM5YybSd6bKZLfsX9U8Ov7cNIKQyRFFXI1SmdNTjsl Q/JTWdgw6chQGnUtIfQIFkDZUlBYt4BIMT1JsR+BTkr4kjmtH70ccyh66QBlLeNQjXDt 2pmf/Su/lLP3rrGvu1FP4v6SpcHToxfTq/DXUjby3pdLVKWGFn/uxhSDAqnKcfyPXF95 OcfBAwGW+Ls2x2mDvH5KfGwQWCYKN7+b8fr5+MxiSClHDfAWAxlnmejiZVMPdQWETj/I vwGtHhFYODKcYwl5/jFUXDH81wtSc+z4Quxxjw18P15JcmbZzBiHjn/wWNXyWPnszBMB rXiQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vo3LGkDV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id q3-20020a056a00088300b006edc97fdb8dsi24276064pfj.70.2024.05.01.05.35.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 05:35:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vo3LGkDV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4225-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D70AF284294 for ; Wed, 1 May 2024 12:35:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4A7011272A5; Wed, 1 May 2024 12:35:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Vo3LGkDV" X-Original-To: linux-bluetooth@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95FDF1DFF0; Wed, 1 May 2024 12:35:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714566914; cv=none; b=e54FHMkyr028BChRAGpOSf5RaqJK7s6/sccY/UA3PzzLW3+NlJ4qd9jzt7IlWqNmn8pNFwA6q9L0RILgERhyLpsJR1FUqpXVF7/XKf3ng7Bv/p5NRqRd/t+HwkowgbmCPJv12noTzW/MqQ3TPMOu0QzD0BzFywZwlGBmzDCrL2k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714566914; c=relaxed/simple; bh=yxAjPYd7QIYgUwysaKCWGKv4Li4Z9nbUIl7p5X3foOg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UCGxS53p7K3V5Gjhic2wRypW+qOfdyugO1Nxvv4k/7ZdUZIuj9Oj44YozXHhlSlhPywTx1njdJXfIfSU4y30sbhT8Cygqi67YfTjAVcke3aW+jhLicaOda1pm7I41dP6ZTO45L/nhwLqY0hMHWTLeezUJl+koGmHCXO599ETZZ0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Vo3LGkDV; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 323C0C4AF18; Wed, 1 May 2024 12:35:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714566914; bh=yxAjPYd7QIYgUwysaKCWGKv4Li4Z9nbUIl7p5X3foOg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vo3LGkDVfYGH/7nw9R4n2TL5EiDNmaR0GP3B/IVekpMdxCdNHqaM0rZ3snErJKqBD Px/a5XoJUs+Scem+HuWa4IogT80RP3Vq034hqM63eyiEq5jRDXrh6HB9CaQBPrSEVp JZWjjvQumETidV3eAl5fJ0+2UTxjw+3fLm8aHZF1rC6xt5Jh8suOpJV7oxoYV5ckWi 7aI34IJrApPT7ObWWbH8OTheCCUZF+hrCe8H7do7eDmUnNZQc2+gMjuTx6FdAeRIXf KUUpeSk+fDM8u2+ffuQlbDdZH9X4Qc18O2um1v1gavJBUYQyWJeC2sKXvHnZVUN4/+ wjlqbhqEx9N1w== Received: from johan by xi.lan with local (Exim 4.97.1) (envelope-from ) id 1s29B6-000000001ky-3dgV; Wed, 01 May 2024 14:35:16 +0200 From: Johan Hovold To: Marcel Holtmann , Luiz Augusto von Dentz Cc: Janaki Ramaiah Thota , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 1/5] Bluetooth: qca: fix info leak when fetching fw build id Date: Wed, 1 May 2024 14:34:52 +0200 Message-ID: <20240501123456.6712-2-johan+linaro@kernel.org> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240501123456.6712-1-johan+linaro@kernel.org> References: <20240501123456.6712-1-johan+linaro@kernel.org> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Add the missing sanity checks and move the 255-byte build-id buffer off the stack to avoid leaking stack data through debugfs in case the build-info reply is malformed. Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC") Cc: stable@vger.kernel.org # 5.12 Signed-off-by: Johan Hovold --- drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++---- drivers/bluetooth/btqca.h | 1 - 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index 38a770278103..a508d79d9aaa 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -99,7 +99,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) { struct sk_buff *skb; struct edl_event_hdr *edl; - char cmd, build_label[QCA_FW_BUILD_VER_LEN]; + char *build_label; + char cmd; int build_lbl_len, err = 0; bt_dev_dbg(hdev, "QCA read fw build info"); @@ -114,6 +115,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) return err; } + if (skb->len < sizeof(*edl)) { + err = -EILSEQ; + goto out; + } + edl = (struct edl_event_hdr *)(skb->data); if (!edl) { bt_dev_err(hdev, "QCA read fw build info with no header"); @@ -129,14 +135,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) goto out; } + if (skb->len < sizeof(*edl) + 1) { + err = -EILSEQ; + goto out; + } + build_lbl_len = edl->data[0]; - if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) { - memcpy(build_label, edl->data + 1, build_lbl_len); - *(build_label + build_lbl_len) = '\0'; + + if (skb->len < sizeof(*edl) + 1 + build_lbl_len) { + err = -EILSEQ; + goto out; } + build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); + if (!build_label) + goto out; + hci_set_fw_info(hdev, "%s", build_label); + kfree(build_label); out: kfree_skb(skb); return err; diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h index 49ad668d0d0b..215433fd76a1 100644 --- a/drivers/bluetooth/btqca.h +++ b/drivers/bluetooth/btqca.h @@ -48,7 +48,6 @@ #define get_soc_ver(soc_id, rom_ver) \ ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) -#define QCA_FW_BUILD_VER_LEN 255 #define QCA_HSP_GF_SOC_ID 0x1200 #define QCA_HSP_GF_SOC_MASK 0x0000ff00 -- 2.43.2