[PATCH] Bluetooth: HCI: Fix potential null-ptr-deref

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref
@ 2024-05-02  2:17 Sungwoo Kim
  2024-05-02  2:59 ` bluez.test.bot
  2024-05-02 14:48 ` [PATCH] " Luiz Augusto von Dentz
  0 siblings, 2 replies; 3+ messages in thread
From: Sungwoo Kim @ 2024-05-02  2:17 UTC (permalink / raw)
  Cc: daveti, benquike, Sungwoo Kim, Marcel Holtmann, Johan Hedberg,
	Luiz Augusto von Dentz, linux-bluetooth, linux-kernel

Dear all,
hci_le_big_sync_established_evt() has a potential null-ptr-deref bug.

hci_le_big_sync_established_evt()
  bis = hci_conn_hash_lookup_handle(hdev, handle);
  if (!bis)
    bis = hci_conn_add() <- could fail
  /* ... */
  bis = hci_conn_hash_lookup_handle(hdev, handle);
  set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); <- null-ptr-deref

There is a missing check after hci_conn_hash_lookup_handle(), which can
return NULL. Especially, if a prior hci_conn_add() fails than
hci_conn_hash_lookup_handle() will return NULL.

This patch fixes this by adding a check.

Thanks,
Sungwoo.

Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/hci_event.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4a27e4a17..d72d238c1 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7037,6 +7037,8 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
 			u16 handle = le16_to_cpu(ev->bis[i]);
 
 			bis = hci_conn_hash_lookup_handle(hdev, handle);
+			if (!bis)
+				continue;
 
 			set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
 			hci_connect_cfm(bis, ev->status);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: HCI: Fix potential null-ptr-deref
  2024-05-02  2:17 [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref Sungwoo Kim
@ 2024-05-02  2:59 ` bluez.test.bot
  2024-05-02 14:48 ` [PATCH] " Luiz Augusto von Dentz
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2024-05-02  2:59 UTC (permalink / raw)
  To: linux-bluetooth, iam

[-- Attachment #1: Type: text/plain, Size: 2950 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=849769

---Test result---

Test Summary:
CheckPatch                    PASS      0.49 seconds
GitLint                       PASS      0.46 seconds
SubjectPrefix                 PASS      0.07 seconds
BuildKernel                   PASS      30.20 seconds
CheckAllWarning               PASS      32.72 seconds
CheckSparse                   WARNING   38.10 seconds
CheckSmatch                   FAIL      36.22 seconds
BuildKernel32                 PASS      28.91 seconds
TestRunnerSetup               PASS      519.88 seconds
TestRunner_l2cap-tester       PASS      20.55 seconds
TestRunner_iso-tester         PASS      29.18 seconds
TestRunner_bnep-tester        PASS      4.64 seconds
TestRunner_mgmt-tester        FAIL      115.50 seconds
TestRunner_rfcomm-tester      PASS      7.17 seconds
TestRunner_sco-tester         PASS      14.93 seconds
TestRunner_ioctl-tester       PASS      7.61 seconds
TestRunner_mesh-tester        PASS      8.89 seconds
TestRunner_smp-tester         PASS      6.73 seconds
TestRunner_userchan-tester    PASS      4.88 seconds
IncrementalBuild              PASS      28.05 seconds

Details
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:

Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: net/bluetooth/hci_core.o] Error 139
make[4]: *** Deleting file 'net/bluetooth/hci_core.o'
make[3]: *** [scripts/Makefile.build:485: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: net] Error 2
make[2]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bcm203x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bcm203x.o'
make[4]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bpa10x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bpa10x.o'
make[3]: *** [scripts/Makefile.build:485: drivers/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: drivers] Error 2
make[1]: *** [/github/workspace/src/src/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 489 (99.4%), Failed: 1, Not Run: 2

Failed Test Cases
LL Privacy - Remove Device 4 (Disable Adv)           Timed out    2.239 seconds


---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref
  2024-05-02  2:17 [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref Sungwoo Kim
  2024-05-02  2:59 ` bluez.test.bot
@ 2024-05-02 14:48 ` Luiz Augusto von Dentz
  1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2024-05-02 14:48 UTC (permalink / raw)
  To: Sungwoo Kim
  Cc: daveti, benquike, Marcel Holtmann, Johan Hedberg, linux-bluetooth,
	linux-kernel

Hi Sungwoo,

On Wed, May 1, 2024 at 10:22 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Dear all,

Not sure if you are following what I actually enter as patch
description, that normally doesn't include things like Dear all, etc.

> hci_le_big_sync_established_evt() has a potential null-ptr-deref bug.
>
> hci_le_big_sync_established_evt()
>   bis = hci_conn_hash_lookup_handle(hdev, handle);
>   if (!bis)
>     bis = hci_conn_add() <- could fail
>   /* ... */
>   bis = hci_conn_hash_lookup_handle(hdev, handle);
>   set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); <- null-ptr-deref
>
> There is a missing check after hci_conn_hash_lookup_handle(), which can
> return NULL. Especially, if a prior hci_conn_add() fails than
> hci_conn_hash_lookup_handle() will return NULL.
>
> This patch fixes this by adding a check.

Nor the one below.

> Thanks,
> Sungwoo.

And by now I'd expect you to start adding the Fixes tag as well.

> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> ---
>  net/bluetooth/hci_event.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 4a27e4a17..d72d238c1 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -7037,6 +7037,8 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
>                         u16 handle = le16_to_cpu(ev->bis[i]);
>
>                         bis = hci_conn_hash_lookup_handle(hdev, handle);
> +                       if (!bis)
> +                               continue;
>
>                         set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
>                         hci_connect_cfm(bis, ev->status);
> --
> 2.34.1
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-05-02 14:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-02  2:17 [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref Sungwoo Kim
2024-05-02  2:59 ` bluez.test.bot
2024-05-02 14:48 ` [PATCH] " Luiz Augusto von Dentz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.