lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Mar 2019 00:17:55 +0100 From: Tomas Bortoli <tomasbortoli@...il.com> To: Marcel Holtmann <marcel@...tmann.org> Cc: Johan Hedberg <johan.hedberg@...il.com>, "David S. Miller" <davem@...emloft.net>, "open list:BLUETOOTH DRIVERS" <linux-bluetooth@...r.kernel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling Hi Marcel, On 3/2/19 5:46 PM, Marcel Holtmann wrote: > Hi Tomas, > >> hci_inquiry_result_with_rssi_evt() can perform out of bound reads >> on skb->data as a bound check is missing. >> >> Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com> >> Reported-by: syzbot+cec7a50c412a2c03f8f5@...kaller.appspotmail.com >> Reported-by: syzbot+660883c56e2fa65d4497@...kaller.appspotmail.com >> --- >> Syzkaler reports: >> https://syzkaller.appspot.com/bug?id=d708485af9edc3af35f3b4d554e827c6c8bf6b0f >> https://syzkaller.appspot.com/bug?id=3acd1155d48a5acc5d76711568b04926945a6885 >> >> net/bluetooth/hci_event.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c >> index ac2826ce162b..aa953d23bb72 100644 >> --- a/net/bluetooth/hci_event.c >> +++ b/net/bluetooth/hci_event.c >> @@ -3983,6 +3983,10 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, >> for (; num_rsp; num_rsp--, info++) { >> u32 flags; >> >> + if ((void *)(info + sizeof(info)) > >> + (void *)(skb->data + skb->len)) >> + break; >> + > > first of all, the loop exists twice here. If one is vulnerable, then the second is a well. And second, can we not just do this inside the for-condition check or a lot simpler than this void casting fun. > 1. The other for loop is not vulnerable because of the `if` that wraps the loops. Unfortunately the condition only provides bound checking for the "else" branch. 2. Sure. I was just getting some compiler warning like "calculated value but unused" when putting the additional condition. By the way I am curious to see how to avoid this void casting. Regards, Tomas
Powered by blists - more mailing lists