lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAMqyJG2Cqc2M1RsW4DUduVgKCiOm1s=3FrO4e=58Q=wd87oVuQ@mail.gmail.com>
Date: Mon, 16 Dec 2024 10:02:44 +0800
From: En-Wei WU <en-wei.wu@...onical.com>
To: marcel@...tmann.org, luiz.dentz@...il.com, linux-bluetooth@...r.kernel.org, 
	linux-kernel@...r.kernel.org, pmenzel@...gen.mpg.de
Cc: quic_tjiang@...cinc.com, kuan-ying.lee@...onical.com, 
	anthony.wong@...onical.com
Subject: Re: [PATCH v3 2/2] Bluetooth: btusb: Improve SKB safety in QCA dump
 packet handling

Hi,

Sorry for bothering. May I kindly ask if there is any progress?

Thanks. Regards.
En-Wei.

On Thu, 5 Dec 2024 at 15:17, En-Wei Wu <en-wei.wu@...onical.com> wrote:
>
> Replace direct buffer access and manual pointer arithmetic in QCA dump
> packet handling with safer skb_pull_data() calls. This ensures proper
> bounds checking when accessing packet headers and adds proper restoration
> of SKB data pointer and length on error paths.
>
> The changes include:
> - Replacing manual pointer arithmetic with skb_pull_data() for
>   safer packet header access
> - Adding SKB state restoration in error paths
>
> This prevents potential buffer overflows and ensures SKB state remains
> consistent even when packet validation fails.
>
> Signed-off-by: En-Wei Wu <en-wei.wu@...onical.com>
> ---
>  drivers/bluetooth/btusb.c | 95 +++++++++++++++++----------------------
>  1 file changed, 41 insertions(+), 54 deletions(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index 2bfb915062cf..cbeb1cec790a 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2935,8 +2935,6 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
>  {
>         int ret = 0;
>         u8 pkt_type;
> -       u8 *sk_ptr;
> -       unsigned int sk_len;
>         u16 seqno;
>         u32 dump_size;
>
> @@ -2945,18 +2943,8 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
>         struct usb_device *udev = btdata->udev;
>
>         pkt_type = hci_skb_pkt_type(skb);
> -       sk_ptr = skb->data;
> -       sk_len = skb->len;
> +       dump_hdr = (struct qca_dump_hdr *)skb->data;
>
> -       if (pkt_type == HCI_ACLDATA_PKT) {
> -               sk_ptr += HCI_ACL_HDR_SIZE;
> -               sk_len -= HCI_ACL_HDR_SIZE;
> -       }
> -
> -       sk_ptr += HCI_EVENT_HDR_SIZE;
> -       sk_len -= HCI_EVENT_HDR_SIZE;
> -
> -       dump_hdr = (struct qca_dump_hdr *)sk_ptr;
>         seqno = le16_to_cpu(dump_hdr->seqno);
>         if (seqno == 0) {
>                 set_bit(BTUSB_HW_SSR_ACTIVE, &btdata->flags);
> @@ -2976,16 +2964,15 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
>
>                 btdata->qca_dump.ram_dump_size = dump_size;
>                 btdata->qca_dump.ram_dump_seqno = 0;
> -               sk_ptr += offsetof(struct qca_dump_hdr, data0);
> -               sk_len -= offsetof(struct qca_dump_hdr, data0);
> +
> +               skb_pull(skb, offsetof(struct qca_dump_hdr, data0));
>
>                 usb_disable_autosuspend(udev);
>                 bt_dev_info(hdev, "%s memdump size(%u)\n",
>                             (pkt_type == HCI_ACLDATA_PKT) ? "ACL" : "event",
>                             dump_size);
>         } else {
> -               sk_ptr += offsetof(struct qca_dump_hdr, data);
> -               sk_len -= offsetof(struct qca_dump_hdr, data);
> +               skb_pull(skb, offsetof(struct qca_dump_hdr, data));
>         }
>
>         if (!btdata->qca_dump.ram_dump_size) {
> @@ -3005,7 +2992,6 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
>                 return ret;
>         }
>
> -       skb_pull(skb, skb->len - sk_len);
>         hci_devcd_append(hdev, skb);
>         btdata->qca_dump.ram_dump_seqno++;
>         if (seqno == QCA_LAST_SEQUENCE_NUM) {
> @@ -3036,61 +3022,62 @@ static bool btqca_acl_pkt_is_dump(struct hci_dev *hdev, struct sk_buff *skb)
>         struct hci_event_hdr *event_hdr;
>         struct hci_acl_hdr *acl_hdr;
>         struct qca_dump_hdr *dump_hdr;
> +       void *orig_data;
> +       unsigned int orig_len;
>
> -       sk_ptr = skb->data;
> -       sk_len = skb->len;
> +       orig_data = skb->data;
> +       orig_len = skb->len;
>
> -       acl_hdr = hci_acl_hdr(skb);
> -       if (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE)
> -               return false;
> -       sk_ptr += HCI_ACL_HDR_SIZE;
> -       sk_len -= HCI_ACL_HDR_SIZE;
> -       event_hdr = (struct hci_event_hdr *)sk_ptr;
> -
> -       if ((event_hdr->evt != HCI_VENDOR_PKT)
> -               || (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> -               return false;
> +       acl_hdr = skb_pull_data(skb, sizeof(*acl_hdr));
> +       if (!acl_hdr || (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE))
> +               goto restore_return;
>
> -       sk_ptr += HCI_EVENT_HDR_SIZE;
> -       sk_len -= HCI_EVENT_HDR_SIZE;
> +       event_hdr = skb_pull_data(skb, sizeof(*event_hdr));
> +       if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> +               goto restore_return;
>
> -       dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> -       if ((sk_len < offsetof(struct qca_dump_hdr, data))
> -               || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS)
> -           || (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> -               return false;
> +       dump_hdr = (struct qca_dump_hdr *)skb->data;
> +       if ((skb->len < sizeof(*dump_hdr)) ||
> +          (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> +          (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> +               goto restore_return;
>
>         return true;
> +
> +restore_return:
> +       skb->data = orig_data;
> +       skb->len = orig_len;
> +       return false;
>  }
>
>  /* Return: true if the event packet is a dump packet, false otherwise. */
>  static bool btqca_event_pkt_is_dump(struct hci_dev *hdev, struct sk_buff *skb)
>  {
> -       u8 *sk_ptr;
> -       unsigned int sk_len;
> -
>         struct hci_event_hdr *event_hdr;
>         struct qca_dump_hdr *dump_hdr;
> +       void *orig_data;
> +       unsigned int orig_len;
>
> -       sk_ptr = skb->data;
> -       sk_len = skb->len;
> +       orig_data = skb->data;
> +       orig_len = skb->len;
>
> -       event_hdr = hci_event_hdr(skb);
> +       event_hdr = skb_pull_data(skb, sizeof(*event_hdr));
> +       if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> +               goto restore_return;
>
> -       if ((event_hdr->evt != HCI_VENDOR_PKT)
> -               || (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> -               return false;
> +       dump_hdr = (struct qca_dump_hdr *)skb->data;
> +       if ((skb->len < sizeof(*dump_hdr)) ||
> +          (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> +          (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> +               goto restore_return;
>
> -       sk_ptr += HCI_EVENT_HDR_SIZE;
> -       sk_len -= HCI_EVENT_HDR_SIZE;
> +       return true;
>
> -       dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> -       if ((sk_len < offsetof(struct qca_dump_hdr, data))
> -               || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS)
> -           || (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> -               return false;
> +restore_return:
> +       skb->data = orig_data;
> +       skb->len = orig_len;
> +       return false;
>
> -       return true;
>  }
>
>  static int btusb_recv_acl_qca(struct hci_dev *hdev, struct sk_buff *skb)
> --
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ