diff mbox series

Bluetooth: mgmt: Fix mgmt_device_found panic

Message ID 20211213212650.2067066-1-luiz.dentz@gmail.com
State New
Headers show
Series Bluetooth: mgmt: Fix mgmt_device_found panic | expand

Commit Message

Luiz Augusto von Dentz Dec. 13, 2021, 9:26 p.m. UTC
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following buffer overflow when Class of Device is
missing:

skbuff: skb_over_panic: text:ffffffff8b70f8c0 len:335 put:163
head:ffff888001388000 data:ffff888001388006 tail:0x155 end:0xc0
dev:<NULL>
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT KASAN PTI
CPU: 0 PID: 51 Comm: kworker/u3:2 Not tainted
5.16.0-rc1-14427-g77755dc54f9e-dirty #2795
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-6.fc35
04/01/2014
Workqueue: hci0 hci_rx_work
RIP: 0010:skb_panic+0xc7/0xc9
Code: 89 f0 48 c7 c7 00 d7 d5 8b 55 48 8b 74 24 18 4d 89 f9 56 48 8b 54
24 18 4c 89 e6 52 48 8b 44 24 18 4c 89 ea 50 e8 80 ac fd ff <0f> 0b 48
c7 c6 60 e0 d5 8b 48 c7 c7 9
RSP: 0018:ffff88800181fa08 EFLAGS: 00010286
RAX: 0000000000000088 RBX: ffff88800197c600 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffed1000303f34
RBP: ffffffff8bd5d6c0 R08: 0000000000000088 R09: ffff88800181f6a7
R10: ffffed1000303ed4 R11: 0000000000000001 R12: ffffffff8bd5dfa0
R13: ffffffff8b70f8c0 R14: 00000000000000a3 R15: ffff888001388000
FS:  0000000000000000(0000) GS:ffffffff8c097000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f235d05519d CR3: 00000000018c8000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? mgmt_device_found+0x5c0/0x680
 skb_put.cold+0x1f/0x1f
 mgmt_device_found+0x5c0/0x680
 ? kasan_unpoison+0x23/0x50
 ? mgmt_set_local_name_complete+0x1d0/0x1d0
 ? hci_inquiry_cache_update+0x51/0x3e0
 hci_extended_inquiry_result_evt+0x2e9/0x3d0
 ? hci_inquiry_result_evt+0x280/0x280
 ? mutex_unlock+0x7a/0xc0
 ? mutex_lock+0xd0/0xd0
 ? bt_dbg_get+0x10/0x10
 hci_event_packet+0x4a7/0x720
 ? hci_inquiry_result_evt+0x280/0x280
 ? hci_encrypt_change_evt+0x970/0x970
 ? skb_release_data+0x9d/0x230
 hci_rx_work+0x134/0x450
 ? read_word_at_a_time+0xe/0x20
 ? strscpy+0xb5/0x190
 process_one_work+0x435/0x690
 worker_thread+0x2c7/0x7e0
 ? process_one_work+0x690/0x690
 kthread+0x20e/0x240
 ? set_kthread_struct+0x80/0x80
 ret_from_fork+0x22/0x30
 </TASK>
---[ end trace 6885a67d9b75dd49 ]---
RIP: 0010:skb_panic+0xc7/0xc9
Code: 89 f0 48 c7 c7 00 d7 d5 8b 55 48 8b 74 24 18 4d 89 f9 56 48 8b 54
24 18 4c 89 e6 52 48 8b 44 24 18 4c 89 ea 50 e8 80 ac fd ff <0f> 0b 48
c7 c6 60 e0 d5 8b 48 c7 c7 9
RSP: 0018:ffff88800181fa08 EFLAGS: 00010286
RAX: 0000000000000088 RBX: ffff88800197c600 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffed1000303f34
RBP: ffffffff8bd5d6c0 R08: 0000000000000088 R09: ffff88800181f6a7
R10: ffffed1000303ed4 R11: 0000000000000001 R12: ffffffff8bd5dfa0
R13: ffffffff8b70f8c0 R14: 00000000000000a3 R15: ffff888001388000
FS:  0000000000000000(0000) GS:ffffffff8c097000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f235d05519d CR3: 00000000018c8000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fixes: 2023db7e3a343 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/mgmt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Luiz Augusto von Dentz Dec. 17, 2021, 10:42 p.m. UTC | #1
Hi Marcel,

On Mon, Dec 13, 2021 at 2:07 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=595033
>
> ---Test result---
>
> Test Summary:
> CheckPatch                    FAIL      1.63 seconds
> GitLint                       FAIL      0.92 seconds
> BuildKernel                   PASS      317.18 seconds
> Incremental Build with patchesPASS      321.54 seconds
> TestRunner: Setup             PASS      454.37 seconds
> TestRunner: l2cap-tester      PASS      11.79 seconds
> TestRunner: bnep-tester       PASS      5.89 seconds
> TestRunner: mgmt-tester       PASS      112.27 seconds
> TestRunner: rfcomm-tester     PASS      7.41 seconds
> TestRunner: sco-tester        PASS      7.54 seconds
> TestRunner: smp-tester        PASS      7.34 seconds
> TestRunner: userchan-tester   PASS      6.14 seconds
>
> Details
> ##############################
> Test: CheckPatch - FAIL - 1.63 seconds
> Run checkpatch.pl script with rule in .checkpatch.conf
> Bluetooth: mgmt: Fix mgmt_device_found panic\WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
> #103:
> FS:  0000000000000000(0000) GS:ffffffff8c097000(0000) knlGS:0000000000000000
>
> total: 0 errors, 1 warnings, 0 checks, 16 lines checked
>
> NOTE: For some of the reported defects, checkpatch may be able to
>       mechanically convert to the typical style using --fix or --fix-inplace.
>
> /github/workspace/src/12674615.patch has style problems, please review.
>
> NOTE: Ignored message types: UNKNOWN_COMMIT_ID
>
> NOTE: If any of the errors are false positives, please report
>       them to the maintainer, see CHECKPATCH in MAINTAINERS.
>
>
> ##############################
> Test: GitLint - FAIL - 0.92 seconds
> Run gitlint with rule in .gitlint
> Bluetooth: mgmt: Fix mgmt_device_found panic
> 77: B1 Line exceeds max length (97>80): "Fixes: 2023db7e3a343 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND")"

Can you please fixup/squash this one, this is breaking inquiry
response processing.
Luiz Augusto von Dentz Dec. 20, 2021, 9:07 p.m. UTC | #2
Hi Marcel,

On Fri, Dec 17, 2021 at 4:44 PM Manish Mandlik <mmandlik@google.com> wrote:
>
>
>
> On Fri, Dec 17, 2021 at 5:43 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote:
>>
>> Hi Marcel,
>>
>> On Mon, Dec 13, 2021 at 2:07 PM <bluez.test.bot@gmail.com> wrote:
>> >
>> > This is automated email and please do not reply to this email!
>> >
>> > Dear submitter,
>> >
>> > Thank you for submitting the patches to the linux bluetooth mailing list.
>> > This is a CI test results with your patch series:
>> > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=595033
>> >
>> > ---Test result---
>> >
>> > Test Summary:
>> > CheckPatch                    FAIL      1.63 seconds
>> > GitLint                       FAIL      0.92 seconds
>> > BuildKernel                   PASS      317.18 seconds
>> > Incremental Build with patchesPASS      321.54 seconds
>> > TestRunner: Setup             PASS      454.37 seconds
>> > TestRunner: l2cap-tester      PASS      11.79 seconds
>> > TestRunner: bnep-tester       PASS      5.89 seconds
>> > TestRunner: mgmt-tester       PASS      112.27 seconds
>> > TestRunner: rfcomm-tester     PASS      7.41 seconds
>> > TestRunner: sco-tester        PASS      7.54 seconds
>> > TestRunner: smp-tester        PASS      7.34 seconds
>> > TestRunner: userchan-tester   PASS      6.14 seconds
>> >
>> > Details
>> > ##############################
>> > Test: CheckPatch - FAIL - 1.63 seconds
>> > Run checkpatch.pl script with rule in .checkpatch.conf
>> > Bluetooth: mgmt: Fix mgmt_device_found panic\WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
>> > #103:
>> > FS:  0000000000000000(0000) GS:ffffffff8c097000(0000) knlGS:0000000000000000
>> >
>> > total: 0 errors, 1 warnings, 0 checks, 16 lines checked
>> >
>> > NOTE: For some of the reported defects, checkpatch may be able to
>> >       mechanically convert to the typical style using --fix or --fix-inplace.
>> >
>> > /github/workspace/src/12674615.patch has style problems, please review.
>> >
>> > NOTE: Ignored message types: UNKNOWN_COMMIT_ID
>> >
>> > NOTE: If any of the errors are false positives, please report
>> >       them to the maintainer, see CHECKPATCH in MAINTAINERS.
>> >
>> >
>> > ##############################
>> > Test: GitLint - FAIL - 0.92 seconds
>> > Run gitlint with rule in .gitlint
>> > Bluetooth: mgmt: Fix mgmt_device_found panic
>> > 77: B1 Line exceeds max length (97>80): "Fixes: 2023db7e3a343 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND")"
>>
>> Can you please fixup/squash this one, this is breaking inquiry
>> response processing.
>>
>> --
>> Luiz Augusto von Dentz
>
>
> Tested-by: Manish Mandlik <mmandlik@google.com>

Ping, we really need to fix this up.
Luiz Augusto von Dentz Dec. 21, 2021, 9:54 p.m. UTC | #3
Hi Marcel,

On Mon, Dec 20, 2021 at 1:07 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Marcel,
>
> On Fri, Dec 17, 2021 at 4:44 PM Manish Mandlik <mmandlik@google.com> wrote:
> >
> >
> >
> > On Fri, Dec 17, 2021 at 5:43 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote:
> >>
> >> Hi Marcel,
> >>
> >> On Mon, Dec 13, 2021 at 2:07 PM <bluez.test.bot@gmail.com> wrote:
> >> >
> >> > This is automated email and please do not reply to this email!
> >> >
> >> > Dear submitter,
> >> >
> >> > Thank you for submitting the patches to the linux bluetooth mailing list.
> >> > This is a CI test results with your patch series:
> >> > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=595033
> >> >
> >> > ---Test result---
> >> >
> >> > Test Summary:
> >> > CheckPatch                    FAIL      1.63 seconds
> >> > GitLint                       FAIL      0.92 seconds
> >> > BuildKernel                   PASS      317.18 seconds
> >> > Incremental Build with patchesPASS      321.54 seconds
> >> > TestRunner: Setup             PASS      454.37 seconds
> >> > TestRunner: l2cap-tester      PASS      11.79 seconds
> >> > TestRunner: bnep-tester       PASS      5.89 seconds
> >> > TestRunner: mgmt-tester       PASS      112.27 seconds
> >> > TestRunner: rfcomm-tester     PASS      7.41 seconds
> >> > TestRunner: sco-tester        PASS      7.54 seconds
> >> > TestRunner: smp-tester        PASS      7.34 seconds
> >> > TestRunner: userchan-tester   PASS      6.14 seconds
> >> >
> >> > Details
> >> > ##############################
> >> > Test: CheckPatch - FAIL - 1.63 seconds
> >> > Run checkpatch.pl script with rule in .checkpatch.conf
> >> > Bluetooth: mgmt: Fix mgmt_device_found panic\WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
> >> > #103:
> >> > FS:  0000000000000000(0000) GS:ffffffff8c097000(0000) knlGS:0000000000000000
> >> >
> >> > total: 0 errors, 1 warnings, 0 checks, 16 lines checked
> >> >
> >> > NOTE: For some of the reported defects, checkpatch may be able to
> >> >       mechanically convert to the typical style using --fix or --fix-inplace.
> >> >
> >> > /github/workspace/src/12674615.patch has style problems, please review.
> >> >
> >> > NOTE: Ignored message types: UNKNOWN_COMMIT_ID
> >> >
> >> > NOTE: If any of the errors are false positives, please report
> >> >       them to the maintainer, see CHECKPATCH in MAINTAINERS.
> >> >
> >> >
> >> > ##############################
> >> > Test: GitLint - FAIL - 0.92 seconds
> >> > Run gitlint with rule in .gitlint
> >> > Bluetooth: mgmt: Fix mgmt_device_found panic
> >> > 77: B1 Line exceeds max length (97>80): "Fixes: 2023db7e3a343 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND")"
> >>
> >> Can you please fixup/squash this one, this is breaking inquiry
> >> response processing.
> >>
> >> --
> >> Luiz Augusto von Dentz
> >
> >
> > Tested-by: Manish Mandlik <mmandlik@google.com>
>
> Ping, we really need to fix this up.
>
> --
> Luiz Augusto von Dentz

Ive fixed the original patch and pushed to bluetooth-next.
diff mbox series

Patch

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 4e1557281956..3326d9459dd3 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9601,7 +9601,7 @@  void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
 
 	/* Allocate skb. The 5 extra bytes are for the potential CoD field */
 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
-			     sizeof(ev) + eir_len + scan_rsp_len + 5);
+			     sizeof(*ev) + eir_len + scan_rsp_len + 5);
 	if (!skb)
 		return;
 
@@ -9633,7 +9633,7 @@  void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
 
 		eir_len += eir_append_data(eir_cod, 0, EIR_CLASS_OF_DEV,
 					   dev_class, 3);
-		skb_put_data(skb, eir_cod, eir_len);
+		skb_put_data(skb, eir_cod, sizeof(eir_cod));
 	}
 
 	if (scan_rsp_len > 0)