lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CABBYNZLXd3EzMhf41wJg93jNp7DWQK7oHOnHGv_ThZJ7yMXTGw@mail.gmail.com>
Date: Mon, 21 Apr 2025 15:17:45 -0400
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: En-Wei Wu <en-wei.wu@...onical.com>
Cc: marcel@...tmann.org, linux-bluetooth@...r.kernel.org, 
	linux-kernel@...r.kernel.org, pmenzel@...gen.mpg.de, quic_tjiang@...cinc.com, 
	chia-lin.kao@...onical.com, anthony.wong@...onical.com
Subject: Re: [PATCH v4 0/2] btusb: fix NULL pointer dereference in QCA
 devcoredump handling

Hi En-Wei,

On Mon, Apr 21, 2025 at 9:00 AM En-Wei Wu <en-wei.wu@...onical.com> wrote:
>
> This patch series fixes a NULL pointer dereference in skb_dequeue()
> during QCA devcoredump handling, and adds some safety checks to make the
> parsing more robust.

While at it, please move this logic to qca specific file, there is no
reason for this logic to remain inside btusb.c

> The first patch fixes the logic bug where dump packets were mistakenly
> passed to hci_recv_frame() and freed prematurely. This was caused by
> handle_dump_pkt_qca() returning 0 even when the dump was successfully
> handled. It also refactors dump packet detection into separate helpers
> for ACL and event packets.
>
> The second patch adds bounds checks and replaces direct pointer access
> with skb_pull() and skb_pull_data() to avoid accessing invalid memory
> on malformed packets.
>
> Tested on WCN7851 (0489:e0f3) with devcoredump enabled. Crash no
> longer occurs and dumps are processed correctly.
>
> Changes in v4:
> - Fix unused variable error in the first patch
> - Refine commit messages
>
> Changes in v3:
> - Use skb_pull_data() for safe packet header access
> - Split dump packet detection into separate ACL and event helpers
>
> Changes in v2:
> - Fixed typo in the title
> - Re-flowed commit message line to fit 72 characters
> - Added blank line before btusb_recv_acl_qca()
>
> En-Wei Wu (2):
>   Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()
>   Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump
>     handling
>
>  drivers/bluetooth/btusb.c | 120 +++++++++++++++++++++++---------------
>  1 file changed, 74 insertions(+), 46 deletions(-)
>
> --
> 2.43.0
>


-- 
Luiz Augusto von Dentz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ