From patchwork Fri Jun 24 22:46:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: John Klug X-Patchwork-Id: 584727 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C119C433EF for ; Fri, 24 Jun 2022 22:46:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230355AbiFXWqe (ORCPT ); Fri, 24 Jun 2022 18:46:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbiFXWqd (ORCPT ); Fri, 24 Jun 2022 18:46:33 -0400 Received: from mail2.multitech.com (spx.multitech.com [65.126.90.11]) by lindbergh.monkeyblade.net (Postfix) with SMTP id A15F988958 for ; Fri, 24 Jun 2022 15:46:32 -0700 (PDT) Received: from mail2.multitech.com (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 2A42A585635_2B63EC8B; Fri, 24 Jun 2022 22:46:32 +0000 (GMT) Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mail2.multitech.com (Sophos Email Appliance) with ESMTPS id 071FB5854B6_2B63EC7F; Fri, 24 Jun 2022 22:46:31 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g4A67Fk8DBWfMxMKITQbUkXGuBg7IH0iUlMeXABUW0pqCfliM/v9TNpvs1pKD3vdEJ6k0lYO+ly3jGeIyZkaiUADDHwDfZUT07dwk/cfEXmXo4eN1BR6zG55xxRwJFg4Z/kG/w2s3dYlPH1s/LPGIUEIwXY1ZjhKW0tjGxxr6SFESmpE9c2vBvl2ajTWcCc4YkKgHFn/TvfbmgGS4Ge8fG68DYC9TYYdmDqMm8TaqaxnZHok/vnUD9t1h5hEMI1MUdC80kM21OF7AAzwwVmY9q+x/ZrueHUh/3sMXLQWK1W0OlA8FNb2rOfkuTUBYiwd8evmxmcFv/QezpDFUGQjCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HEXaoJ1r+GWn3wjKrmdE1+IThM7F4B9l1ATfgBuVHcM=; b=eMNyOZVWrQFRxck3gOBkn6DT7zO6Jnf2pnT/bZEvut69iEQmioPYKuCOQeSSy4aIydx/Hq/Lq5tZcgO1dTehBIXSv+sTcZV7rzvOfRP/tJStjiTJmCwAIskPTvfnxkhFR2clFUDCrl50Id19+TaqGOCPstoEkSbiaXwuPFViniKawpZVqgQJ7ON9dr00TIMeZo6fzkLA9QY3XcT0Jk5pjidxmob7aBAhAJ3fc93B8QiwbcWR8sxXs8/S/eIsudF8Ty7aazcci/6dzhlfaQlNAo1YrB4HzEa4zB7YL4rzlOs3dJYklqC9dCoymrFYZV43auyQJIXlRgk7PxP/rFn2EA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=multitech.com; dmarc=pass action=none header.from=multitech.com; dkim=pass header.d=multitech.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=multitechsystems.onmicrosoft.com; s=selector1-multitechsystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HEXaoJ1r+GWn3wjKrmdE1+IThM7F4B9l1ATfgBuVHcM=; b=FmWowKTuhXa8Ms8SFARtPDO5C0WBjvHAuxWJ0+ESPO3wUb+AFuqI5yxQdDBdUmQe1niAjtrdJq9rWrwwk5+lRTk6GIzZ0CZncdSQRvQ82qG1trVKbU0bA8ZX9H50K4ppdHweTSQ67zMCcauXbckQ9S7LAF8Ed55afTdNMz73Efg= Received: from SJ0PR13MB5755.namprd13.prod.outlook.com (2603:10b6:a03:40e::15) by BYAPR13MB4534.namprd13.prod.outlook.com (2603:10b6:a03:9e::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.13; Fri, 24 Jun 2022 22:46:27 +0000 Received: from SJ0PR13MB5755.namprd13.prod.outlook.com ([fe80::980d:52c2:2f5d:f4b2]) by SJ0PR13MB5755.namprd13.prod.outlook.com ([fe80::980d:52c2:2f5d:f4b2%4]) with mapi id 15.20.5373.017; Fri, 24 Jun 2022 22:46:27 +0000 From: John Klug To: Linux-Bluetooth MailingList CC: =?iso-8859-1?q?S=F6nke_Huster?= Subject: Linux v5.4.199: Bluetooth: hci_event: Ignore multiple conn complete events Thread-Topic: Linux v5.4.199: Bluetooth: hci_event: Ignore multiple conn complete events Thread-Index: AQHYiBu/lxBEj9TcTUq0dO24+qwP/Q== Date: Fri, 24 Jun 2022 22:46:27 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: suggested_attachment_session_id: 79368306-afd7-3df4-d1e2-36c550309f2f authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=multitech.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f46a3a1b-7edd-4499-b368-08da56335f88 x-ms-traffictypediagnostic: BYAPR13MB4534:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: qpaEnXR1oxoB7UVogotREsRyZYTm3e9wE+d2gRMa7958bNCiKlVu/zOgHVf/zmbPfT0paKU6kzrjzlolFRmibXID/pWQvFwCidbKc5i0SAVMbi8ExB1ejgVVGtgRTMxY+KpM/skJpEjY8sXq3s7ifzILrEp0lB29P2kKwC3nu/BktJZSviwaTzwu2Yu/BDJdE2YmHJRYn3foyDDfd0uzwloaVvFDCv5x0VS1YNKdO0VQLEr45mGszEiqGO7Lro3u/SLle/odoRu/Q9Df0JAvAU8iA4okf5iEPW91jecAZdsUuDmSA/TDj12jsDgZoHXOB9OY890Sty4k/2MuB93amjsFZmy3gZhLXDUsRVTRmmy/qPZFcKli6Gqydr86m4rMKYW3przgpj9oItDgxWuhfJiFYYeVU8+4+qFWVq27/teSxF5cniLVntMttvkxxMyjQXxsOSIxdi2cyHCukHx+6s1xTDCOkV/GnLSyFunplkYhIV+olgZbwVJhUxPzu6RiDKoi06ZANGPFWPoAOJsCXCPNiBVwiZcqH/JRVNmPC5QpshMIEolFr5JEsvLU2n0fQRqZu9q0vkb8dyXgz5FMijT6D+wX0zkk88OqwldLtxDXHML6/U3HLO/PI/MMyL1hAW9HqdrR6E5luemn4fGX8o5bqJsBa+96LsmkBu/gHiLzbDslBgHz9ImPSNn5+OROrD9XY49z/qI98Ee+gWTsuusopjCSiP5f0GVhpATQls7qw70W6cpaprQJYFnCKEw5vod/Zo216B89gzjWHz0Sy0r5Ul6aUkDxJtGdjlghmGbYlkpboH6Zfam/BO899o+QGMLlTwy42m79FQwCAgdRucwiD/QqR752o1XxfIqhhM0= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR13MB5755.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(366004)(39840400004)(346002)(396003)(136003)(376002)(478600001)(26005)(38100700002)(66556008)(86362001)(9686003)(33656002)(8936002)(91956017)(7696005)(5660300002)(52536014)(55016003)(6916009)(83380400001)(2906002)(186003)(8676002)(76116006)(4326008)(66476007)(38070700005)(71200400001)(53546011)(6506007)(66946007)(41300700001)(64756008)(66446008)(316002)(122000001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?Igw9KZ8bb0qBzkOHr+KcRbN?= =?iso-8859-1?q?koJ4i73cEEfXIiKWhx0TFwWhqrq62zCArLlRhvoiSzKzlgs4q3Lgir3kiM7B?= =?iso-8859-1?q?rCWvkhc38vDowv9Q2jrVNDBK52f4yZa9V1+2hK/RImYxZWJpCw5uck3tRZ4R?= =?iso-8859-1?q?4YlSOp7tU9ENw1//NCTrFUGaE2LEqvtTg2mR6j1telJm6aZsgfjQTkLP+gXG?= =?iso-8859-1?q?epSxnUbiv1cmAPug0+1+G0Jh8/BoYRpXt7h54T/hPILZ6BjwLqyNyfbSwZRi?= =?iso-8859-1?q?Gg9MsIadDGLzTbepLRSgWEp0hgCEvaHccEp7hnJ87L75KXEze6OqGFd5x08B?= =?iso-8859-1?q?IXAv7azI2MMjdGE9wWO2meyaCUBYd/R7sScZb6r4ByOrp4s+xv4ERAGzqYNY?= =?iso-8859-1?q?CYCDWS7r/CHKkGNSSQZiwYeay8OQR8xWkpslCcrMp6dwn+/9ZgHVVkJnDPaO?= =?iso-8859-1?q?dImIbWxE1xg4luw/LzwGEJbm0EIHoyFvOrRi7ubyTT0rPkksH9arOGmxmvMU?= =?iso-8859-1?q?+pDHQJT3cm1CVQnk52DV6pxRJ9mYvbsj1jHWvzVE0gWm1hpx9e4o6lXOkf78?= =?iso-8859-1?q?KhUeFn2r3Kl2FWDrHGn+HiVnoBueIWrjg1UVt98FtJQDPNjmKLGJ/16SSO2Y?= =?iso-8859-1?q?KxGBvRivyFMOoyAHjaOkTizZlREPMk+sonnESRWZ8BadtUo7HNdw8sX/ctCi?= =?iso-8859-1?q?1rgyaViznrqHauBHcMa8MMAn4oMEaCkVOn//3fRjm//Lchr0tBRH/KjaebEB?= =?iso-8859-1?q?6Q6uvPaymLavlcQbcvHpx+80HFGDmT2ZeROzinhnYGWyjEXYonddPzyz0X6N?= =?iso-8859-1?q?+YC4uQxxdss18yV+WPEXYPIrSlIhrvHGVgiDeRnUzjALnvdTGsm0o11To2uc?= =?iso-8859-1?q?DPWhNljdoELnZMWn4XGHZJrjz728BEiy84SwmCvDbZ6cwZ5PxcAnIHhNuEgu?= =?iso-8859-1?q?I7N16Rd/MPsv4KrPEHkq6ITdbqGA0+5LOsz21zduY6e5TpwWOPs/xUynUzjM?= =?iso-8859-1?q?dx/0kNWKAqcT3kNuTJ3VqtIakQv/DosoC55OiQugnmsjmbL9V4MBUfFyOvqE?= =?iso-8859-1?q?g4eGFBTQ8jqeFEUIY6wnx8aEHt7ldyUkp9ywgjz0pdZNRUHPZnuTdMFls63U?= =?iso-8859-1?q?rIxeoJTBL1vxZonL6OKWOfC75fIIr5stoFA+IW8/W6ZkvrrvjBEl5feop7P8?= =?iso-8859-1?q?ItvGZ/cSV4dVGCtZltbHKgzWjDU/84QggvZRaULFqk+wTQSbHePM+MySrhNy?= =?iso-8859-1?q?DeVpjPqEFaFmQhksQwOZTsdEr8SAqiw06iLtvGEU3otTUgHr203IQfYPndjL?= =?iso-8859-1?q?MWllY4AY0uQ6vH+uN6ZIMABO+MtemN+nZTA64GhUXt2Zn2CdnfUFCM2wTPzf?= =?iso-8859-1?q?e2Gt1tzXLEtvc2hjx6oWGFroETqi99DPefihWevUfSSnOnRCfptBGNXsJ7tv?= =?iso-8859-1?q?a2he9VzAGwsBJinb8KtCuuD7cuucAUEcd2MJRiiL17YT+inhmRjhetwjJM/g?= =?iso-8859-1?q?IzrhFU+ICdmc0e4KjHMlDt/skHJ4fLDnXbqQaB4U212iONvzrtRzREhgQmPG?= =?iso-8859-1?q?roUHpEsZNiqJ7tmCOp2OdjX4MFSnidJ8+qtleLvQ7lvI825Cs+u337xQ=3D?= MIME-Version: 1.0 X-OriginatorOrg: multitech.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR13MB5755.namprd13.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f46a3a1b-7edd-4499-b368-08da56335f88 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2022 22:46:27.1836 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f802e804-804f-4d1e-b625-870b4d57fd00 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: sO6QHDYRiA6+5Yhh6+lWtdU2ujxqQZLetACClarVvCi4UZPzYVeVzDk3InQcD/LxTdlLTb9cSdryQtNT1EA2UQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR13MB4534 X-SASI-RCODE: 200 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org This patch updated for the 5.4.199 kernel on Friday, 24 June 2022 by John Klug From: Soenke Huster Date: Sun, 23 Jan 2022 15:06:24 +0100 Subject: Bluetooth: hci_event: Ignore multiple conn complete events When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored. The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do not contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks are introduced. ---  include/net/bluetooth/hci_core.h |  3 ++  net/bluetooth/hci_conn.c         |  1 +  net/bluetooth/hci_event.c        | 63 ++++++++++++++++++++++++++++++----------  3 files changed, 52 insertions(+), 15 deletions(-) diff -Naru a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h --- a/include/net/bluetooth/hci_core.h 2022-06-24 09:07:33.521766338 -0500 +++ b/include/net/bluetooth/hci_core.h 2022-06-24 09:16:20.317754010 -0500 @@ -193,6 +193,9 @@    #define HCI_MAX_SHORT_NAME_LENGTH 10   +#define HCI_CONN_HANDLE_UNSET 0xffff +#define HCI_CONN_HANDLE_MAX 0x0eff +  /* Min encryption key size to match with SMP */  #define HCI_MIN_ENC_KEY_SIZE 7   diff -Naru a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c --- a/net/bluetooth/hci_conn.c 2022-06-24 09:08:47.105764616 -0500 +++ b/net/bluetooth/hci_conn.c 2022-06-24 09:16:20.317754010 -0500 @@ -504,6 +504,7 @@     bacpy(&conn->dst, dst);   bacpy(&conn->src, &hdev->bdaddr); + conn->handle = HCI_CONN_HANDLE_UNSET;   conn->hdev  = hdev;   conn->type  = type;   conn->role  = role; diff -Naru a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c --- a/net/bluetooth/hci_event.c 2022-06-24 09:09:10.825764061 -0500 +++ b/net/bluetooth/hci_event.c 2022-06-24 09:19:52.017749056 -0500 @@ -2494,6 +2494,11 @@   struct hci_ev_conn_complete *ev = (void *) skb->data;   struct hci_conn *conn;   + if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { + BT_DBG("Ignoring HCI_Connection_Complete for invalid handle"); + return; + } +           BT_DBG("%s", hdev->name);     hci_dev_lock(hdev); @@ -2510,6 +2515,17 @@   conn->type = SCO_LINK;   }   + /* The HCI_Connection_Complete event is only sent once per connection. + * Processing it more than once per connection can corrupt kernel memory. + * + * As the connection handle is set here for the first time, it indicates + * whether the connection is already set up. + */ + if (conn->handle != HCI_CONN_HANDLE_UNSET) { + BT_DBG("Ignoring HCI_Connection_Complete for existing connection"); + goto unlock; + } +   if (!ev->status) {   conn->handle = __le16_to_cpu(ev->handle);   @@ -4177,6 +4193,11 @@   struct hci_ev_sync_conn_complete *ev = (void *) skb->data;   struct hci_conn *conn;   + if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { + BT_DBG("Ignoring HCI_Sync_Conn_Complete event for invalid handle"); + return; + } +   BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);     hci_dev_lock(hdev); @@ -4200,23 +4221,19 @@   goto unlock;   }   + /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. + * Processing it more than once per connection can corrupt kernel memory. + * + * As the connection handle is set here for the first time, it indicates + * whether the connection is already set up. + */ + if (conn->handle != HCI_CONN_HANDLE_UNSET) { +    BT_DBG("Ignoring HCI_Sync_Conn_Complete event for existing connection"); + goto unlock; + } +   switch (ev->status) {   case 0x00: - /* The synchronous connection complete event should only be - * sent once per new connection. Receiving a successful - * complete event when the connection status is already - * BT_CONNECTED means that the device is misbehaving and sent - * multiple complete event packets for the same new connection. - * - * Registering the device more than once can corrupt kernel - * memory, hence upon detecting this invalid event, we report - * an error and ignore the packet. - */ - if (conn->state == BT_CONNECTED) { - bt_dev_err(hdev, "Ignoring connect complete event for existing connection"); - goto unlock; - } -   conn->handle = __le16_to_cpu(ev->handle);   conn->state  = BT_CONNECTED;   conn->type   = ev->link_type; @@ -4985,6 +5002,11 @@   struct smp_irk *irk;   u8 addr_type;   + if (handle > HCI_CONN_HANDLE_MAX) { + BT_DBG("Ignoring HCI_LE_Connection_Complete for invalid handle"); + return; + } +   hci_dev_lock(hdev);     /* All controllers implicitly stop advertising in the event of a @@ -5026,6 +5048,17 @@   cancel_delayed_work(&conn->le_conn_timeout);   }   + /* The HCI_LE_Connection_Complete event is only sent once per connection. + * Processing it more than once per connection can corrupt kernel memory. + * + * As the connection handle is set here for the first time, it indicates + * whether the connection is already set up. + */ + if (conn->handle != HCI_CONN_HANDLE_UNSET) { + BT_DBG("Ignoring HCI_Connection_Complete for existing connection"); + goto unlock; + } +   le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);     /* Lookup the identity address from the stored connection