[v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow

Message ID	20240228171838.2414532-1-luiz.dentz@gmail.com
State	New
Headers	show Received: from mail-oi1-f178.google.com (mail-oi1-f178.google.com [209.85.167.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0836A6EEEA for <linux-bluetooth@vger.kernel.org>; Wed, 28 Feb 2024 17:18:41 +0000 (UTC) From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow Date: Wed, 28 Feb 2024 12:18:35 -0500 Message-ID: <20240228171838.2414532-1-luiz.dentz@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow \| expand [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow [v1,2/4] Bluetooth: msft: Fix memory leak [v1,3/4] Bluetooth: btusb: Fix memory leak [v1,4/4] Bluetooth: bnep: Fix out-of-bound access

Message ID

20240228171838.2414532-1-luiz.dentz@gmail.com

State

New

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH v1 1/4] Bluetooth: hci_core: Fix possible buffer overflow
Date: Wed, 28 Feb 2024 12:18:35 -0500
Message-ID: <20240228171838.2414532-1-luiz.dentz@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow | expand

Commit Message

Luiz Augusto von Dentz Feb. 28, 2024, 5:18 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

struct hci_dev_info has a fixed size name[8] field so in the event that
hdev->name is bigger than that strcpy would attempt to write past its
size, so this fixes this problem by switching to use strscpy.

Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/hci_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

patchwork-bot+bluetooth@kernel.org March 1, 2024, 7 p.m. UTC | #1

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 28 Feb 2024 12:18:35 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> struct hci_dev_info has a fixed size name[8] field so in the event that
> hdev->name is bigger than that strcpy would attempt to write past its
> size, so this fixes this problem by switching to use strscpy.
> 
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> [...]

Here is the summary with links:
  - [v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow
    https://git.kernel.org/bluetooth/bluetooth-next/c/c6febaabc470
  - [v1,2/4] Bluetooth: msft: Fix memory leak
    https://git.kernel.org/bluetooth/bluetooth-next/c/14cfaede6ad1
  - [v1,3/4] Bluetooth: btusb: Fix memory leak
    https://git.kernel.org/bluetooth/bluetooth-next/c/875829da81e8
  - [v1,4/4] Bluetooth: bnep: Fix out-of-bound access
    https://git.kernel.org/bluetooth/bluetooth-next/c/cfbc55231f8e

You are awesome, thank you!

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2821a42cefdc..3715d2f3616f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -908,7 +908,7 @@  int hci_get_dev_info(void __user *arg)
 	else
 		flags = hdev->flags;
 
-	strcpy(di.name, hdev->name);
+	strscpy(di.name, hdev->name, sizeof(di.name));
 	di.bdaddr   = hdev->bdaddr;
 	di.type     = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
 	di.flags    = flags;

[v1,1/4] Bluetooth: hci_core: Fix possible buffer overflow

Commit Message

Comments

Patch