lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 21 Jan 2019 15:48:34 +0100
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Myungho Jung <mhjungk@...il.com>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the
 result of h4_recv_buf()

Hi Myungho,

>>>> In h4_recv(), if h4_recv_buf() returns error and h4_recv() is
>>>> asynchronously called again before setting rx_skb to NULL, ERR_PTR will
>>>> be dereferenced in h4_recv_buf(). Check return value in a local variable
>>>> before writing to rx_skb.
>>>> 
>>>> Reported-by: syzbot+017a32f149406df32703@...kaller.appspotmail.com
>>>> Signed-off-by: Myungho Jung <mhjungk@...il.com>
>>>> ---
>>>> drivers/bluetooth/hci_h4.c | 11 +++++++----
>>>> 1 file changed, 7 insertions(+), 4 deletions(-)
>>> 
>>> patch has been applied to bluetooth-next tree.
>>> 
>>> Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue.
>>> 
>>> Regards
>>> 
>>> Marcel
>>> 
>> 
>> Hi Marcel,
>> 
>> Sure, let me check other callers and fix them if applicable.
>> 
>> Thanks,
>> Myungho
>> 
> 
> Hi Marcel,
> 
> I found there are many callers that need to be fixed. So, how about checking
> error code in h4_recv_buf() instead?
> 
> diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
> index fb97a3bf069b..dea48090d2dc 100644
> --- a/drivers/bluetooth/hci_h4.c
> +++ b/drivers/bluetooth/hci_h4.c
> @@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb,
> 	struct hci_uart *hu = hci_get_drvdata(hdev);
> 	u8 alignment = hu->alignment ? hu->alignment : 1;
> 
> +	/* Check if socket buffer is not reset yet from previous error */
> +	if (IS_ERR(skb))
> +		skb = NULL;
> +
> 	while (count) {
> 		int i, len;
> 
> 
> It is tested and verified by syzbot. The previous commit is no more needed if
> this looks better. 

please send a proper patch for this and also don’t forget drivers/bluetooth/h4_recv.h since these two are not yet consolidated.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ