| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Apr 2023 11:56:50 +0200
From: Simon Horman <simon.horman@...igine.com>
To: michenyuan <michenyuan@...wei.com>
Cc: "isdn@...ux-pingi.de" <isdn@...ux-pingi.de>,
"marcel@...tmann.org" <marcel@...tmann.org>,
"johan.hedberg@...il.com" <johan.hedberg@...il.com>,
"luiz.dentz@...il.com" <luiz.dentz@...il.com>,
"davem@...emloft.net" <davem@...emloft.net>,
"edumazet@...gle.com" <edumazet@...gle.com>,
"kuba@...nel.org" <kuba@...nel.org>,
"pabeni@...hat.com" <pabeni@...hat.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] cmtp: fix argument error
On Mon, Apr 03, 2023 at 02:35:21AM +0000, michenyuan wrote:
> Thank you for your suggestion.
>
> This bug may not cause serious security problem. Function 'bt_sock_unregister' takes its parameter as an index and nulls the corresponding element of 'bt_proto' which is an array of pointers. When 'bt_proto' dereferences each element, it would check whether the element is empty or not. Therefore, the problem of null pointer deference does not occur.
>
> This bug is observed by manually code review.
Thanks, could I suggest that you post a v2 that looks a bit like this:
Subject: Re: [PATCH v2 net-next] bluetooth: unregister correct BTPROTO for CMTP
On error unregister BTPROTO_CMTP to match the registration earlier
in the same code-path. Without this change BTPROTO_HIDP is incorrectly
unregistered.
This bug does not appear to cause serious security problem.
The function 'bt_sock_unregister' takes its parameter as an index and NULLs
the corresponding element of 'bt_proto' which is an array of pointers. When
'bt_proto' dereferences each element, it would check whether the element is
empty or not. Therefore, the problem of null pointer deference does not
occur.
Found by inspection.
Fixes: 8c8de589cedd ("Bluetooth: Added /proc/net/cmtp via bt_procfs_init()")
Signed-off-by: ...
...
> > ---
> > net/bluetooth/cmtp/sock.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Code change looks good.
>
> > diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
> > index 96d49d9fae96..cf4370055ce2 100644
> > --- a/net/bluetooth/cmtp/sock.c
> > +++ b/net/bluetooth/cmtp/sock.c
> > @@ -250,7 +250,7 @@ int cmtp_init_sockets(void)
> > err = bt_procfs_init(&init_net, "cmtp", &cmtp_sk_list, NULL);
> > if (err < 0) {
> > BT_ERR("Failed to create CMTP proc file");
> > - bt_sock_unregister(BTPROTO_HIDP);
> > + bt_sock_unregister(BTPROTO_CMTP);
> > goto error;
> > }
> >
> > --
> > 2.25.1
Powered by blists - more mailing lists