lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Nov 2021 08:02:50 +0300 From: Pavel Skripkin <paskripkin@...il.com> To: marcel@...tmann.org, johan.hedberg@...il.com, luiz.dentz@...il.com, davem@...emloft.net, kuba@...nel.org Cc: linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+e3fcb9c4f3c2a931dc40@...kaller.appspotmail.com Subject: Re: [PATCH] Bluetooth: stop proccessing malicious adv data On 11/1/21 10:12, Pavel Skripkin wrote: > Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The > problem was in missing validaion check. > > We should check if data is not malicious and we can read next data block. > If we won't check ptr validness, code can read a way beyond skb->end and > it can cause problems, of course. > > Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") > Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@...kaller.appspotmail.com > Signed-off-by: Pavel Skripkin <paskripkin@...il.com> > --- Hi, Bluetooth maintainers! friendly ping :) If anything is wrong with this one, please, let me know With regards, Pavel Skripkin > net/bluetooth/hci_event.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 0bca035bf2dc..50d1d62c15ec 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -5780,7 +5780,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) > struct hci_ev_le_advertising_info *ev = ptr; > s8 rssi; > > - if (ev->length <= HCI_MAX_AD_LENGTH) { > + if (ev->length <= HCI_MAX_AD_LENGTH && > + ev->data + ev->length <= skb_tail_pointer(skb)) { > rssi = ev->data[ev->length]; > process_adv_report(hdev, ev->evt_type, &ev->bdaddr, > ev->bdaddr_type, NULL, 0, rssi, > @@ -5790,6 +5791,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) > } > > ptr += sizeof(*ev) + ev->length + 1; > + > + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { > + bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); > + break; > + } > } > > hci_dev_unlock(hdev); >
Powered by blists - more mailing lists