lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <055645D1-A6AC-4ED6-8A44-37F787A9EC5A@holtmann.org>
Date:   Fri, 18 Jan 2019 13:08:33 +0100
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt

Hi Greg,

>>>> l2cap_get_conf_opt can handle a "default" message type, but it needs to
>>>> be verified that it really is the correct type (CONF_EFS or CONF_RFC)
>>>> before passing it back to the caller.  To do this we need to check the
>>>> return value of this call now and handle the error correctly up the
>>>> stack.
>>>> 
>>>> Based on a patch from Ran Menscher.
>>>> 
>>>> Reported-by: Ran Menscher <ran.menscher@...ambasecurity.com>
>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>>>> ---
>>>> net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++------
>>>> 1 file changed, 19 insertions(+), 6 deletions(-)
>>>> 
>>>> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
>>>> index 2a7fb517d460..93daf94565cf 100644
>>>> --- a/net/bluetooth/l2cap_core.c
>>>> +++ b/net/bluetooth/l2cap_core.c
>>>> @@ -2980,6 +2980,10 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
>>>> 		break;
>>>> 
>>>> 	default:
>>>> +		/* Only CONF_EFS and CONF_RFC are allowed here */
>>>> +		if ((opt->type != L2CAP_CONF_EFS) &&
>>>> +		    (opt->type != L2CAP_CONF_RFC))
>>>> +			return -EPROTO;
>>> 
>>> after re-reading that specification, this also includes CONF_QOS since that is a multi-field variable as well. Even if we currently don’t act on that field, we need to accept it being send.
>> 
>> /me hands you some \n characters...
>> 
>> Ok, will fix up.
>> 
>>>> 		*val = (unsigned long) opt->val;
>>>> 		break;
>>>> 	}
>>>> @@ -3324,7 +3328,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
>>>> 	void *endptr = data + data_size;
>>>> 	void *req = chan->conf_req;
>>>> 	int len = chan->conf_len;
>>>> -	int type, hint, olen;
>>>> +	int type, hint, olen, err;
>>>> 	unsigned long val;
>>>> 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
>>>> 	struct l2cap_conf_efs efs;
>>>> @@ -3336,7 +3340,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
>>>> 	BT_DBG("chan %p", chan);
>>>> 
>>>> 	while (len >= L2CAP_CONF_OPT_SIZE) {
>>>> -		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
>>>> +		err = l2cap_get_conf_opt(&req, &type, &olen, &val);
>>>> +		if (err < 0)
>>>> +			return err;
>>>> +		len -= err;
>>> 
>>> We need to handle not yet known options correctly since otherwise we are breaking forwards compatibility if newer specifications introduce new parameters. So just returning with an error here is not acceptable. It will fail qualification test cases.
>> 
>> So what should we do here?  We can't keep going as the size is
>> incorrect.
>> 
>>> Don’t we rather have proper length checks in l2cap_parse_conf_{req,rsp} instead of doing this. I think your second patch is enough.
>> 
>> It is?  Ok, if that's all that is needed, that's fine with me.  I was
>> just taking the patch from the original submitter, I don't understand
>> the bluetooth protocol at all :)
> 
> I need to get my brain back into the nasty details of that protocol. I know for sure that just aborting is violating the handling of unknown options and that will fail qualification.
> 
> Let me look at how they managed to trick us.

actually this one was easy to understand. Just fixing was overly complicated by focusing on the default case and then punching in exceptions.

Since all option types are fixed size, I now added length checks to these. Patch has been posted.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ