From: Alexander Grund <theflamefire89@gmail.com>
To: cip-dev@lists.cip-project.org
Cc: uli+cip@fpond.eu
Subject: [PATCH 4.4 4/4] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
Date: Thu, 11 Jan 2024 20:06:58 +0100 [thread overview]
Message-ID: <20240111190658.153488-5-theflamefire89@gmail.com> (raw)
In-Reply-To: <20240111190658.153488-1-theflamefire89@gmail.com>
From: Kees Cook <keescook@chromium.org>
The code pattern of memcpy(dst, src, strlen(src)) is almost always
wrong. In this case it is wrong because it leaves memory uninitialized
if it is less than sizeof(ni->name), and overflows ni->name when longer.
Normally strtomem_pad() could be used here, but since ni->name is a
trailing array in struct hci_mon_new_index, compilers that don't support
-fstrict-flex-arrays=3 can't tell how large this array is via
__builtin_object_size(). Instead, open-code the helper and use sizeof()
since it will work correctly.
Additionally mark ni->name as __nonstring since it appears to not be a
%NUL terminated C string.
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Edward AD <twuufnxlz@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Fixes: 18f547f3fc07 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event")
Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[AG: Remove __nonstring attribute not present in 4.4]
Signed-off-by: Alexander Grund <theflamefire89@gmail.com>
---
net/bluetooth/hci_sock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 48fcbbde9d3f0..dbbd69bf43191 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -333,7 +333,8 @@ static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
ni->type = hdev->dev_type;
ni->bus = hdev->bus;
bacpy(&ni->bdaddr, &hdev->bdaddr);
- memcpy(ni->name, hdev->name, strlen(hdev->name));
+ memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
+ strnlen(hdev->name, sizeof(ni->name)), '\0');
opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
break;
--
2.40.1
next prev parent reply other threads:[~2024-01-11 19:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-11 19:06 [PATCH 4.4 0/4] Bluetooth: hci_sock: Fix possible OOB write in create_monitor_event Alexander Grund
2024-01-11 19:06 ` [PATCH 4.4 1/4] string.h: add memcpy_and_pad() Alexander Grund
2024-01-11 19:06 ` [PATCH 4.4 2/4] string.h: un-fortify memcpy_and_pad Alexander Grund
2024-01-11 19:06 ` [PATCH 4.4 3/4] string: uninline memcpy_and_pad Alexander Grund
2024-01-11 19:06 ` Alexander Grund [this message]
2024-01-15 19:50 ` [cip-dev] [PATCH 4.4 4/4] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Pavel Machek
2024-01-15 20:05 ` [cip-dev] [PATCH 4.4 0/4] Bluetooth: hci_sock: Fix possible OOB write in create_monitor_event Pavel Machek
2024-01-29 2:06 ` Ulrich Hecht
2024-01-29 2:04 ` Ulrich Hecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240111190658.153488-5-theflamefire89@gmail.com \
--to=theflamefire89@gmail.com \
--cc=cip-dev@lists.cip-project.org \
--cc=uli+cip@fpond.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox