* [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow
@ 2024-02-28 17:18 Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 2/4] Bluetooth: msft: Fix memory leak Luiz Augusto von Dentz
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2024-02-28 17:18 UTC (permalink / raw
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
struct hci_dev_info has a fixed size name[8] field so in the event that
hdev->name is bigger than that strcpy would attempt to write past its
size, so this fixes this problem by switching to use strscpy.
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2821a42cefdc..3715d2f3616f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -908,7 +908,7 @@ int hci_get_dev_info(void __user *arg)
else
flags = hdev->flags;
- strcpy(di.name, hdev->name);
+ strscpy(di.name, hdev->name, sizeof(di.name));
di.bdaddr = hdev->bdaddr;
di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
di.flags = flags;
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v1 2/4] Bluetooth: msft: Fix memory leak
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
@ 2024-02-28 17:18 ` Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 3/4] Bluetooth: btusb: " Luiz Augusto von Dentz
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2024-02-28 17:18 UTC (permalink / raw
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Fix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT.
Fixes: 9e14606d8f38 ("Bluetooth: msft: Extended monitor tracking by address filter")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/msft.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c
index 630e3023273b..9612c5d1b13f 100644
--- a/net/bluetooth/msft.c
+++ b/net/bluetooth/msft.c
@@ -875,6 +875,7 @@ static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)
remove = true;
goto done;
}
+
cp->sub_opcode = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
cp->rssi_high = address_filter->rssi_high;
cp->rssi_low = address_filter->rssi_low;
@@ -887,6 +888,8 @@ static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, size, cp,
HCI_CMD_TIMEOUT);
+ kfree(cp);
+
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Failed to enable address %pMR filter",
&address_filter->bdaddr);
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v1 3/4] Bluetooth: btusb: Fix memory leak
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 2/4] Bluetooth: msft: Fix memory leak Luiz Augusto von Dentz
@ 2024-02-28 17:18 ` Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 4/4] Bluetooth: bnep: Fix out-of-bound access Luiz Augusto von Dentz
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2024-02-28 17:18 UTC (permalink / raw
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This checks if CONFIG_DEV_COREDUMP is enabled before attempting to clone
the skb and also make sure btmtk_process_coredump frees the skb passed
following the same logic.
Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
drivers/bluetooth/btmtk.c | 4 +++-
drivers/bluetooth/btusb.c | 10 ++++++----
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index aaabb732082c..285418dbb43f 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -372,8 +372,10 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
struct btmediatek_data *data = hci_get_priv(hdev);
int err;
- if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
+ if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) {
+ kfree_skb(skb);
return 0;
+ }
switch (data->cd_info.state) {
case HCI_DEVCOREDUMP_IDLE:
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index d31edad7a056..6cb87d47ad7d 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3273,7 +3273,6 @@ static int btusb_recv_acl_mtk(struct hci_dev *hdev, struct sk_buff *skb)
{
struct btusb_data *data = hci_get_drvdata(hdev);
u16 handle = le16_to_cpu(hci_acl_hdr(skb)->handle);
- struct sk_buff *skb_cd;
switch (handle) {
case 0xfc6f: /* Firmware dump from device */
@@ -3286,9 +3285,12 @@ static int btusb_recv_acl_mtk(struct hci_dev *hdev, struct sk_buff *skb)
* for backward compatibility, so we have to clone the packet
* extraly for the in-kernel coredump support.
*/
- skb_cd = skb_clone(skb, GFP_ATOMIC);
- if (skb_cd)
- btmtk_process_coredump(hdev, skb_cd);
+ if (IS_ENABLED(CONFIG_DEV_COREDUMP)) {
+ struct sk_buff *skb_cd = skb_clone(skb, GFP_ATOMIC);
+
+ if (skb_cd)
+ btmtk_process_coredump(hdev, skb_cd);
+ }
fallthrough;
case 0x05ff: /* Firmware debug logging 1 */
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v1 4/4] Bluetooth: bnep: Fix out-of-bound access
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 2/4] Bluetooth: msft: Fix memory leak Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 3/4] Bluetooth: btusb: " Luiz Augusto von Dentz
@ 2024-02-28 17:18 ` Luiz Augusto von Dentz
2024-02-28 17:57 ` [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow bluez.test.bot
2024-03-01 19:00 ` [PATCH v1 1/4] " patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2024-02-28 17:18 UTC (permalink / raw
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This fixes attempting to access past ethhdr.h_source, although it seems
intentional to copy also the contents of h_proto this triggers
out-of-bound access problems with the likes of static analyzer, so this
instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
h_proto separetely.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/bnep/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 5a6a49885ab6..a660c428e220 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
case BNEP_COMPRESSED_DST_ONLY:
__skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
+ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
+ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
break;
case BNEP_GENERAL:
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
` (2 preceding siblings ...)
2024-02-28 17:18 ` [PATCH v1 4/4] Bluetooth: bnep: Fix out-of-bound access Luiz Augusto von Dentz
@ 2024-02-28 17:57 ` bluez.test.bot
2024-03-01 19:00 ` [PATCH v1 1/4] " patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2024-02-28 17:57 UTC (permalink / raw
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=830790
---Test result---
Test Summary:
CheckPatch PASS 1.98 seconds
GitLint PASS 0.78 seconds
SubjectPrefix PASS 0.23 seconds
BuildKernel PASS 27.62 seconds
CheckAllWarning PASS 30.48 seconds
CheckSparse PASS 36.06 seconds
CheckSmatch PASS 99.43 seconds
BuildKernel32 PASS 26.97 seconds
TestRunnerSetup PASS 494.99 seconds
TestRunner_l2cap-tester PASS 18.05 seconds
TestRunner_iso-tester PASS 28.19 seconds
TestRunner_bnep-tester PASS 4.74 seconds
TestRunner_mgmt-tester PASS 111.81 seconds
TestRunner_rfcomm-tester PASS 7.28 seconds
TestRunner_sco-tester PASS 14.85 seconds
TestRunner_ioctl-tester PASS 7.76 seconds
TestRunner_mesh-tester PASS 5.79 seconds
TestRunner_smp-tester PASS 6.81 seconds
TestRunner_userchan-tester PASS 4.95 seconds
IncrementalBuild PASS 39.12 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
` (3 preceding siblings ...)
2024-02-28 17:57 ` [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow bluez.test.bot
@ 2024-03-01 19:00 ` patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2024-03-01 19:00 UTC (permalink / raw
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 28 Feb 2024 12:18:35 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> struct hci_dev_info has a fixed size name[8] field so in the event that
> hdev->name is bigger than that strcpy would attempt to write past its
> size, so this fixes this problem by switching to use strscpy.
>
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> [...]
Here is the summary with links:
- [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow
https://git.kernel.org/bluetooth/bluetooth-next/c/c6febaabc470
- [v1,2/4] Bluetooth: msft: Fix memory leak
https://git.kernel.org/bluetooth/bluetooth-next/c/14cfaede6ad1
- [v1,3/4] Bluetooth: btusb: Fix memory leak
https://git.kernel.org/bluetooth/bluetooth-next/c/875829da81e8
- [v1,4/4] Bluetooth: bnep: Fix out-of-bound access
https://git.kernel.org/bluetooth/bluetooth-next/c/cfbc55231f8e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-03-01 19:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-28 17:18 [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 2/4] Bluetooth: msft: Fix memory leak Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 3/4] Bluetooth: btusb: " Luiz Augusto von Dentz
2024-02-28 17:18 ` [PATCH v1 4/4] Bluetooth: bnep: Fix out-of-bound access Luiz Augusto von Dentz
2024-02-28 17:57 ` [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow bluez.test.bot
2024-03-01 19:00 ` [PATCH v1 1/4] " patchwork-bot+bluetooth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.