lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250421130038.34998-1-en-wei.wu@canonical.com>
Date: Mon, 21 Apr 2025 21:00:36 +0800
From: En-Wei Wu <en-wei.wu@...onical.com>
To: marcel@...tmann.org,
	luiz.dentz@...il.com,
	linux-bluetooth@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	pmenzel@...gen.mpg.de
Cc: quic_tjiang@...cinc.com,
	chia-lin.kao@...onical.com,
	anthony.wong@...onical.com
Subject: [PATCH v4 0/2] btusb: fix NULL pointer dereference in QCA devcoredump handling

This patch series fixes a NULL pointer dereference in skb_dequeue()
during QCA devcoredump handling, and adds some safety checks to make the
parsing more robust.

The first patch fixes the logic bug where dump packets were mistakenly
passed to hci_recv_frame() and freed prematurely. This was caused by
handle_dump_pkt_qca() returning 0 even when the dump was successfully
handled. It also refactors dump packet detection into separate helpers
for ACL and event packets.

The second patch adds bounds checks and replaces direct pointer access
with skb_pull() and skb_pull_data() to avoid accessing invalid memory
on malformed packets.

Tested on WCN7851 (0489:e0f3) with devcoredump enabled. Crash no
longer occurs and dumps are processed correctly.
  
Changes in v4:
- Fix unused variable error in the first patch
- Refine commit messages

Changes in v3:
- Use skb_pull_data() for safe packet header access
- Split dump packet detection into separate ACL and event helpers

Changes in v2:
- Fixed typo in the title
- Re-flowed commit message line to fit 72 characters
- Added blank line before btusb_recv_acl_qca()

En-Wei Wu (2):
  Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()
  Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump
    handling

 drivers/bluetooth/btusb.c | 120 +++++++++++++++++++++++---------------
 1 file changed, 74 insertions(+), 46 deletions(-)

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ