| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Apr 2023 17:54:30 +0530
From: Neeraj Sanjay Kale <neeraj.sanjaykale@....com>
To: marcel@...tmann.org, johan.hedberg@...il.com, luiz.dentz@...il.com
Cc: linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org,
amitkumar.karwar@....com, rohit.fule@....com, sherry.sun@....com,
neeraj.sanjaykale@....com
Subject: [PATCH v1] Bluetooth: btnxpuart: No need to check the received bootloader signature
We can never assume the uart will deliver a complete packet to the BT
layer at once, the expected packet may be divided into several parts by
uart as uart doesn't know the received packet size, the received data
count may mismatch with the expected packet size, so here
is_valid_bootloader_signature() check may always return false.
Even we remove the count check in is_valid_bootloader_signature(), then
the first part of the data which includes the packet type can pass the
is_valid_bootloader_signature() check, but the remaining parts don't
have the packet type data still cannot pass the check, here return
directly will cause the data loss.
So need to remove the received bootloader signature check here, the
h4_recv_buf() can help us combine the different data received into one
packet. If any out-of-sync or incomplete bootloader signature is received,
it is safe to ignore and discard it, and process the next bootloader
signature.
Co-developed-by: Sherry Sun <sherry.sun@....com>
Signed-off-by: Sherry Sun <sherry.sun@....com>
Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@....com>
---
drivers/bluetooth/btnxpuart.c | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index 5f641466d695..7c22c1ac087a 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1147,33 +1147,20 @@ static const struct h4_recv_pkt nxp_recv_pkts[] = {
{ NXP_RECV_FW_REQ_V3, .recv = nxp_recv_fw_req_v3 },
};
-static bool is_valid_bootloader_signature(const u8 *data, size_t count)
-{
- if ((*data == NXP_V1_FW_REQ_PKT && count == sizeof(struct v1_data_req) + 1) ||
- (*data == NXP_V3_FW_REQ_PKT && count == sizeof(struct v3_data_req) + 1) ||
- (*data == NXP_V3_CHIP_VER_PKT && count == sizeof(struct v3_start_ind) + 1))
- return true;
- else
- return false;
-}
-
static int btnxpuart_receive_buf(struct serdev_device *serdev, const u8 *data,
size_t count)
{
struct btnxpuart_dev *nxpdev = serdev_device_get_drvdata(serdev);
- if (is_fw_downloading(nxpdev) && !is_valid_bootloader_signature(data, count)) {
- /* Unknown bootloader signature, skip without returning error */
- return count;
- }
-
ps_start_timer(nxpdev);
nxpdev->rx_skb = h4_recv_buf(nxpdev->hdev, nxpdev->rx_skb, data, count,
nxp_recv_pkts, ARRAY_SIZE(nxp_recv_pkts));
if (IS_ERR(nxpdev->rx_skb)) {
int err = PTR_ERR(nxpdev->rx_skb);
-
+ /* Safe to ignore out-of-sync bootloader signatures */
+ if (is_fw_downloading(nxpdev))
+ return count;
bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err);
nxpdev->rx_skb = NULL;
return err;
--
2.34.1
Powered by blists - more mailing lists