lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0b49ec72-b8a6-8631-e21d-9efd30354e1d@gmail.com>
Date:   Sun, 3 Mar 2019 00:17:55 +0100
From:   Tomas Bortoli <tomasbortoli@...il.com>
To:     Marcel Holtmann <marcel@...tmann.org>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        "open list:BLUETOOTH DRIVERS" <linux-bluetooth@...r.kernel.org>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller@...glegroups.com
Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling

Hi Marcel,

On 3/2/19 5:46 PM, Marcel Holtmann wrote:
> Hi Tomas,
> 
>> hci_inquiry_result_with_rssi_evt() can perform out of bound reads
>> on skb->data as a bound check is missing.
>>
>> Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com>
>> Reported-by: syzbot+cec7a50c412a2c03f8f5@...kaller.appspotmail.com
>> Reported-by: syzbot+660883c56e2fa65d4497@...kaller.appspotmail.com
>> ---
>> Syzkaler reports:
>> https://syzkaller.appspot.com/bug?id=d708485af9edc3af35f3b4d554e827c6c8bf6b0f
>> https://syzkaller.appspot.com/bug?id=3acd1155d48a5acc5d76711568b04926945a6885
>>
>> net/bluetooth/hci_event.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
>> index ac2826ce162b..aa953d23bb72 100644
>> --- a/net/bluetooth/hci_event.c
>> +++ b/net/bluetooth/hci_event.c
>> @@ -3983,6 +3983,10 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
>> 		for (; num_rsp; num_rsp--, info++) {
>> 			u32 flags;
>>
>> +			if ((void *)(info + sizeof(info)) >
>> +			   (void *)(skb->data + skb->len))
>> +				break;
>> +
> 
> first of all, the loop exists twice here. If one is vulnerable, then the second is a well. And second, can we not just do this inside the for-condition check or a lot simpler than this void casting fun.
> 

1. The other for loop is not vulnerable because of the `if` that wraps
the loops. Unfortunately the condition only provides bound checking for
the "else" branch.

2. Sure. I was just getting some compiler warning like "calculated value
but unused" when putting the additional condition. By the way I am
curious to see how to avoid this void casting.

Regards,
Tomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ