lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 3 Apr 2023 02:35:21 +0000
From:   michenyuan <michenyuan@...wei.com>
To:     Simon Horman <simon.horman@...igine.com>
CC:     "isdn@...ux-pingi.de" <isdn@...ux-pingi.de>,
        "marcel@...tmann.org" <marcel@...tmann.org>,
        "johan.hedberg@...il.com" <johan.hedberg@...il.com>,
        "luiz.dentz@...il.com" <luiz.dentz@...il.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] cmtp: fix argument error

Thank you for your suggestion.

This bug may not cause serious security problem. Function 'bt_sock_unregister' takes its parameter as an index and nulls the corresponding element of 'bt_proto' which is an array of pointers. When 'bt_proto' dereferences each element, it would check whether the element is empty or not. Therefore, the problem of null pointer deference does not occur.

This bug is observed by manually code review.

----------

On Fri, Mar 31, 2023 at 02:45:20PM +0800, Chenyuan Mi wrote:
> Fix this issue by using BTPROTO_CMTP as argument instead of BTPROTO_HIDP.

Thanks for your patch. Some things you may want to consider:

* I think it would be good to describe what the effect of this problem is,
  if it can be observed. And if not, say so. I think it would
  also be useful to state how the problem was found. F.e. using a tool, or
  by inspection.

* As this is described as a fix, it should probably have a fixes tag.
  I think it would be:

Fixes: 8c8de589cedd ("Bluetooth: Added /proc/net/cmtp via bt_procfs_init()")
> Signed-off-by: Chenyuan Mi <michenyuan@...wei.com>
> ---
>  net/bluetooth/cmtp/sock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Code change looks good.

> diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c 
> index 96d49d9fae96..cf4370055ce2 100644
> --- a/net/bluetooth/cmtp/sock.c
> +++ b/net/bluetooth/cmtp/sock.c
> @@ -250,7 +250,7 @@ int cmtp_init_sockets(void)
>  	err = bt_procfs_init(&init_net, "cmtp", &cmtp_sk_list, NULL);
>  	if (err < 0) {
>  		BT_ERR("Failed to create CMTP proc file");
> -		bt_sock_unregister(BTPROTO_HIDP);
> +		bt_sock_unregister(BTPROTO_CMTP);
>  		goto error;
>  	}
>  
> --
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ