| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM_iQpVyFCAa8rbCJY-PNgY9XwBRjV4N2WAwtV1d4z=UG0afCg@mail.gmail.com>
Date: Tue, 23 Apr 2019 18:36:39 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Marcel Holtmann <marcel@...tmann.org>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>,
linux-bluetooth <linux-bluetooth@...r.kernel.org>,
syzbot <syzbot+cec7a50c412a2c03f8f5@...kaller.appspotmail.com>,
syzbot <syzbot+660883c56e2fa65d4497@...kaller.appspotmail.com>,
Johan Hedberg <johan.hedberg@...il.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Tomas Bortoli <tomasbortoli@...il.com>
Subject: Re: [Patch net v2 1/3] bluetooth: validate HCI_EVENT_PKT packet carefully
On Tue, Apr 23, 2019 at 12:42 PM Marcel Holtmann <marcel@...tmann.org> wrote:
>
> Hi Cong,
>
> > hci_event_packet() blindly assumes all packets are sane, at least
> > for packets allocated via vhci_get_user() path this is not true.
> > We have to check if we access skb data out-of-bound with
> > pskb_may_pull() before each skb->data dereference on RX path.
> >
> > Reported-and-tested-by: syzbot+cec7a50c412a2c03f8f5@...kaller.appspotmail.com
> > Reported-and-tested-by: syzbot+660883c56e2fa65d4497@...kaller.appspotmail.com
> > Cc: Marcel Holtmann <marcel@...tmann.org>
> > Cc: Johan Hedberg <johan.hedberg@...il.com>
> > Cc: Dan Carpenter <dan.carpenter@...cle.com>
> > Reviewed-by: Tomas Bortoli <tomasbortoli@...il.com>
> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
> > ---
> > net/bluetooth/hci_event.c | 262 +++++++++++++++++++++++++++++++-------
> > 1 file changed, 218 insertions(+), 44 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 609fd6871c5a..2fef70c0bffe 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -2331,10 +2331,13 @@ static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
> >
> > static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
> > {
> > - __u8 status = *((__u8 *) skb->data);
> > struct discovery_state *discov = &hdev->discovery;
> > struct inquiry_entry *e;
> > + __u8 status;
> >
> > + if (unlikely(!pskb_may_pull(skb, 1)))
> > + return;
> > + status = *((__u8 *)skb->data);
> > BT_DBG("%s status 0x%2.2x", hdev->name, status);
> >
> > hci_conn_check_pending(hdev);
> > @@ -2391,14 +2394,21 @@ static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
> > static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
> > {
> > struct inquiry_data data;
> > - struct inquiry_info *info = (void *) (skb->data + 1);
> > - int num_rsp = *((__u8 *) skb->data);
> > + struct inquiry_info *info;
> > + int num_rsp;
> >
> > BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
> >
> > + if (unlikely(!pskb_may_pull(skb, 1)))
> > + return;
> > + num_rsp = *((__u8 *)skb->data);
> > if (!num_rsp)
> > return;
> >
> > + if (unlikely(!pskb_may_pull(skb, 1 + num_rsp * sizeof(*info))))
> > + return;
> > + info = (void *)(skb->data + 1);
> > +
> > if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
> > return;
>
> this really looks like we better create a macro for this. It is repetitive code that can be turned into just a macro usage.
Hmm, I have no idea on how to make a macro for this, any hints?
By the way, we use the similar pattern in networking code, I am not
aware of any macro there.
Thanks.
Powered by blists - more mailing lists