[syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in create_monitor_event

[syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in create_monitor_event

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f291209eca5e Merge tag 'net-6.6-rc5' of git://git.kernel.o..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11011862680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a5682d32a74b423
dashboard link: https://syzkaller.appspot.com/bug?extid=c90849c50ed209d77689
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14d8746e680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1388dbae680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c35c46fb9748/disk-f291209e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f0cdf2349ddb/vmlinux-f291209e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f4c7b7ed7c4/bzImage-f291209e.xz

The issue was bisected to:

commit dcda165706b9fbfd685898d46a6749d7d397e0c0
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Fri Sep 15 21:42:27 2023 +0000

    Bluetooth: hci_core: Fix build warnings

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1279df95680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1179df95680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1679df95680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")

==================================================================
BUG: KASAN: slab-out-of-bounds in create_monitor_event+0x88d/0x930 net/bluetooth/hci_sock.c:491
Read of size 8 at addr ffff88801e5458c7 by task syz-executor191/5038

CPU: 0 PID: 5038 Comm: syz-executor191 Not tainted 6.6.0-rc4-syzkaller-00158-gf291209eca5e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:475
 kasan_report+0x175/0x1b0 mm/kasan/report.c:588
 create_monitor_event+0x88d/0x930 net/bluetooth/hci_sock.c:491
 send_monitor_replay+0x7a/0x5d0 net/bluetooth/hci_sock.c:723
 hci_sock_bind+0x85c/0x1140 net/bluetooth/hci_sock.c:1387
 __sys_bind+0x23a/0x2e0 net/socket.c:1849
 __do_sys_bind net/socket.c:1860 [inline]
 __se_sys_bind net/socket.c:1858 [inline]
 __x64_sys_bind+0x7a/0x90 net/socket.c:1858
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa90faa64f9
Code: 48 83 c4 28 c3 e8 17 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc6a6f17b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa90faa64f9
RDX: 0000000000000006 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 0000000000000003 R08: 000000ff00ffb650 R09: 000000ff00ffb650
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555604a370
R13: 0000000000000072 R14: 00007fa90fb2a5b0 R15: 0000000000000001
 </TASK>

Allocated by task 5038:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1023 [inline]
 __kmalloc_node_track_caller+0xb6/0x230 mm/slab_common.c:1043
 kvasprintf+0xdf/0x190 lib/kasprintf.c:25
 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:272
 dev_set_name+0xd5/0x120 drivers/base/core.c:3427
 hci_register_dev+0x153/0xa40 net/bluetooth/hci_core.c:2620
 __vhci_create_device drivers/bluetooth/hci_vhci.c:434 [inline]
 vhci_create_device+0x3ba/0x720 drivers/bluetooth/hci_vhci.c:475
 vhci_get_user drivers/bluetooth/hci_vhci.c:532 [inline]
 vhci_write+0x3c7/0x480 drivers/bluetooth/hci_vhci.c:612
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x782/0xaf0 fs/read_write.c:584
 ksys_write+0x1a0/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801e5458c0
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 2 bytes to the right of
 allocated 5-byte region [ffff88801e5458c0, ffff88801e5458c5)

The buggy address belongs to the physical page:
page:ffffea0000795140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e545
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888012841280 ffffea00004db540 dead000000000002
raw: 0000000000000000 0000000000660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 25, tgid 25 (kdevtmpfs), ts 9275165846, free_ts 9274763750
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 alloc_slab_page+0x6a/0x160 mm/slub.c:1870
 allocate_slab mm/slub.c:2017 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2070
 ___slab_alloc+0xc85/0x1310 mm/slub.c:3223
 __slab_alloc mm/slub.c:3322 [inline]
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1022 [inline]
 __kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1043
 kstrdup+0x3a/0x70 mm/util.c:62
 smack_inode_init_security+0x5ed/0x740 security/smack/smack_lsm.c:1046
 security_inode_init_security+0x1a1/0x470 security/security.c:1648
 shmem_mknod+0xc6/0x1d0 mm/shmem.c:3221
 vfs_mknod+0x308/0x350 fs/namei.c:3998
 handle_create drivers/base/devtmpfs.c:219 [inline]
 handle drivers/base/devtmpfs.c:384 [inline]
 devtmpfs_work_loop+0x95c/0x1030 drivers/base/devtmpfs.c:399
 devtmpfsd+0x48/0x50 drivers/base/devtmpfs.c:441
 kthread+0x2d3/0x370 kernel/kthread.c:388
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 mm_free_pgd kernel/fork.c:803 [inline]
 __mmdrop+0xb8/0x3d0 kernel/fork.c:919
 free_bprm+0x144/0x330 fs/exec.c:1492
 kernel_execve+0x8f5/0xa10 fs/exec.c:2026
 call_usermodehelper_exec_async+0x233/0x370 kernel/umh.c:110
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Memory state around the buggy address:
 ffff88801e545780: 05 fc fc fc fc 05 fc fc fc fc 05 fc fc fc fc 05
 ffff88801e545800: fc fc fc fc 05 fc fc fc fc 00 fc fc fc fc 00 fc
>ffff88801e545880: fc fc fc 00 fc fc fc fc 05 fc fc fc fc 00 fc fc
                                           ^
 ffff88801e545900: fc fc 00 fc fc fc fc 00 fc fc fc fc 05 fc fc fc
 ffff88801e545980: fc 05 fc fc fc fc fa fc fc fc fc 00 fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in create_monitor_event

[shaozhengchao]

On 2023/10/9 18:29, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    f291209eca5e Merge tag 'net-6.6-rc5' of git://git.kernel.o..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11011862680000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7a5682d32a74b423
> dashboard link: https://syzkaller.appspot.com/bug?extid=c90849c50ed209d77689
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14d8746e680000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1388dbae680000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c35c46fb9748/disk-f291209e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f0cdf2349ddb/vmlinux-f291209e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2f4c7b7ed7c4/bzImage-f291209e.xz
> 
> The issue was bisected to:
> 
> commit dcda165706b9fbfd685898d46a6749d7d397e0c0
> Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Date:   Fri Sep 15 21:42:27 2023 +0000
> 
>      Bluetooth: hci_core: Fix build warnings
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1279df95680000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=1179df95680000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1679df95680000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in create_monitor_event+0x88d/0x930 net/bluetooth/hci_sock.c:491
> Read of size 8 at addr ffff88801e5458c7 by task syz-executor191/5038
> 
> CPU: 0 PID: 5038 Comm: syz-executor191 Not tainted 6.6.0-rc4-syzkaller-00158-gf291209eca5e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:88 [inline]
>   dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
>   print_address_description mm/kasan/report.c:364 [inline]
>   print_report+0x163/0x540 mm/kasan/report.c:475
>   kasan_report+0x175/0x1b0 mm/kasan/report.c:588
>   create_monitor_event+0x88d/0x930 net/bluetooth/hci_sock.c:491
>   send_monitor_replay+0x7a/0x5d0 net/bluetooth/hci_sock.c:723
>   hci_sock_bind+0x85c/0x1140 net/bluetooth/hci_sock.c:1387
>   __sys_bind+0x23a/0x2e0 net/socket.c:1849
>   __do_sys_bind net/socket.c:1860 [inline]
>   __se_sys_bind net/socket.c:1858 [inline]
>   __x64_sys_bind+0x7a/0x90 net/socket.c:1858
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa90faa64f9
> Code: 48 83 c4 28 c3 e8 17 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffc6a6f17b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa90faa64f9
> RDX: 0000000000000006 RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 0000000000000003 R08: 000000ff00ffb650 R09: 000000ff00ffb650
> R10: 0000000000000000 R11: 0000000000000246 R12: 000055555604a370
> R13: 0000000000000072 R14: 00007fa90fb2a5b0 R15: 0000000000000001
>   </TASK>
> 
> Allocated by task 5038:
>   kasan_save_stack mm/kasan/common.c:45 [inline]
>   kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
>   ____kasan_kmalloc mm/kasan/common.c:374 [inline]
>   __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
>   kasan_kmalloc include/linux/kasan.h:198 [inline]
>   __do_kmalloc_node mm/slab_common.c:1023 [inline]
>   __kmalloc_node_track_caller+0xb6/0x230 mm/slab_common.c:1043
>   kvasprintf+0xdf/0x190 lib/kasprintf.c:25
>   kobject_set_name_vargs+0x61/0x120 lib/kobject.c:272
>   dev_set_name+0xd5/0x120 drivers/base/core.c:3427
>   hci_register_dev+0x153/0xa40 net/bluetooth/hci_core.c:2620
>   __vhci_create_device drivers/bluetooth/hci_vhci.c:434 [inline]
>   vhci_create_device+0x3ba/0x720 drivers/bluetooth/hci_vhci.c:475
>   vhci_get_user drivers/bluetooth/hci_vhci.c:532 [inline]
>   vhci_write+0x3c7/0x480 drivers/bluetooth/hci_vhci.c:612
>   call_write_iter include/linux/fs.h:1956 [inline]
>   new_sync_write fs/read_write.c:491 [inline]
>   vfs_write+0x782/0xaf0 fs/read_write.c:584
>   ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> The buggy address belongs to the object at ffff88801e5458c0
>   which belongs to the cache kmalloc-8 of size 8
> The buggy address is located 2 bytes to the right of
>   allocated 5-byte region [ffff88801e5458c0, ffff88801e5458c5)
> 
> The buggy address belongs to the physical page:
> page:ffffea0000795140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e545
> flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
> page_type: 0xffffffff()
> raw: 00fff00000000800 ffff888012841280 ffffea00004db540 dead000000000002
> raw: 0000000000000000 0000000000660066 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 25, tgid 25 (kdevtmpfs), ts 9275165846, free_ts 9274763750
>   set_page_owner include/linux/page_owner.h:31 [inline]
>   post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
>   prep_new_page mm/page_alloc.c:1543 [inline]
>   get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
>   __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
>   alloc_slab_page+0x6a/0x160 mm/slub.c:1870
>   allocate_slab mm/slub.c:2017 [inline]
>   new_slab+0x84/0x2f0 mm/slub.c:2070
>   ___slab_alloc+0xc85/0x1310 mm/slub.c:3223
>   __slab_alloc mm/slub.c:3322 [inline]
>   __slab_alloc_node mm/slub.c:3375 [inline]
>   slab_alloc_node mm/slub.c:3468 [inline]
>   __kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
>   __do_kmalloc_node mm/slab_common.c:1022 [inline]
>   __kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1043
>   kstrdup+0x3a/0x70 mm/util.c:62
>   smack_inode_init_security+0x5ed/0x740 security/smack/smack_lsm.c:1046
>   security_inode_init_security+0x1a1/0x470 security/security.c:1648
>   shmem_mknod+0xc6/0x1d0 mm/shmem.c:3221
>   vfs_mknod+0x308/0x350 fs/namei.c:3998
>   handle_create drivers/base/devtmpfs.c:219 [inline]
>   handle drivers/base/devtmpfs.c:384 [inline]
>   devtmpfs_work_loop+0x95c/0x1030 drivers/base/devtmpfs.c:399
>   devtmpfsd+0x48/0x50 drivers/base/devtmpfs.c:441
>   kthread+0x2d3/0x370 kernel/kthread.c:388
> page last free stack trace:
>   reset_page_owner include/linux/page_owner.h:24 [inline]
>   free_pages_prepare mm/page_alloc.c:1136 [inline]
>   free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
>   free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
>   mm_free_pgd kernel/fork.c:803 [inline]
>   __mmdrop+0xb8/0x3d0 kernel/fork.c:919
>   free_bprm+0x144/0x330 fs/exec.c:1492
>   kernel_execve+0x8f5/0xa10 fs/exec.c:2026
>   call_usermodehelper_exec_async+0x233/0x370 kernel/umh.c:110
>   ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
>   ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
> 
> Memory state around the buggy address:
>   ffff88801e545780: 05 fc fc fc fc 05 fc fc fc fc 05 fc fc fc fc 05
>   ffff88801e545800: fc fc fc fc 05 fc fc fc fc 00 fc fc fc fc 00 fc
>> ffff88801e545880: fc fc fc 00 fc fc fc fc 05 fc fc fc fc 00 fc fc
>                                             ^
>   ffff88801e545900: fc fc 00 fc fc fc fc 00 fc fc fc fc 05 fc fc fc
>   ffff88801e545980: fc 05 fc fc fc fc fa fc fc fc fc 00 fc fc fc fc
> ==================================================================
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> 
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 
>
The size of the member name in struct hci_mon_new_index is fixed at 8
bytes. The size of the member name in struct hci_dev is not fixed. When 
the size of the member name in struct hci_dev is less than 8 bytes,
out-of-bounds read will occur.

It seems that the member name in struct hci_mon_new_index is no longer
used and can be removed directly.

Zhengchao Shao

[PATCH] Bluetooth: hci_sock: fix slab oob read in create_monitor_event

[Edward AD]

When accessing hdev->name, the actual string length should prevail

Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
 net/bluetooth/hci_sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 5e4f718073b7..72abe54c45dd 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -488,7 +488,7 @@ static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 		ni->type = hdev->dev_type;
 		ni->bus = hdev->bus;
 		bacpy(&ni->bdaddr, &hdev->bdaddr);
-		memcpy(ni->name, hdev->name, 8);
+		memcpy(ni->name, hdev->name, strlen(hdev->name));
 
 		opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
 		break;
-- 
2.25.1

RE: Bluetooth: hci_sock: fix slab oob read in create_monitor_event

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2538 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=791644

---Test result---

Test Summary:
CheckPatch                    FAIL      1.00 seconds
GitLint                       PASS      0.28 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      39.81 seconds
CheckAllWarning               PASS      43.46 seconds
CheckSparse                   PASS      49.12 seconds
CheckSmatch                   PASS      132.50 seconds
BuildKernel32                 PASS      38.56 seconds
TestRunnerSetup               PASS      589.07 seconds
TestRunner_l2cap-tester       PASS      35.77 seconds
TestRunner_iso-tester         PASS      79.65 seconds
TestRunner_bnep-tester        PASS      12.49 seconds
TestRunner_mgmt-tester        FAIL      256.84 seconds
TestRunner_rfcomm-tester      PASS      19.08 seconds
TestRunner_sco-tester         PASS      22.05 seconds
TestRunner_ioctl-tester       PASS      21.62 seconds
TestRunner_mesh-tester        PASS      16.19 seconds
TestRunner_smp-tester         PASS      16.90 seconds
TestRunner_userchan-tester    PASS      13.17 seconds
IncrementalBuild              PASS      36.19 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#89: 
Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")

total: 0 errors, 1 warnings, 0 checks, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13414808.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 497, Passed: 496 (99.8%), Failed: 1, Not Run: 0

Failed Test Cases
LL Privacy - Add Device 7 (AL is full)               Failed       0.512 seconds


---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: hci_sock: fix slab oob read in create_monitor_event

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 10 Oct 2023 13:36:57 +0800 you wrote:
> When accessing hdev->name, the actual string length should prevail
> 
> Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
>  net/bluetooth/hci_sock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Here is the summary with links:
  - Bluetooth: hci_sock: fix slab oob read in create_monitor_event
    https://git.kernel.org/bluetooth/bluetooth-next/c/78480de55a96

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH] Bluetooth: hci_sock: fix slab oob read in create_monitor_event

[Kees Cook]

On Tue, Oct 10, 2023 at 01:36:57PM +0800, Edward AD wrote:
> When accessing hdev->name, the actual string length should prevail
> 
> Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
> Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
>  net/bluetooth/hci_sock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
> index 5e4f718073b7..72abe54c45dd 100644
> --- a/net/bluetooth/hci_sock.c
> +++ b/net/bluetooth/hci_sock.c
> @@ -488,7 +488,7 @@ static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
>  		ni->type = hdev->dev_type;
>  		ni->bus = hdev->bus;
>  		bacpy(&ni->bdaddr, &hdev->bdaddr);
> -		memcpy(ni->name, hdev->name, 8);
> +		memcpy(ni->name, hdev->name, strlen(hdev->name));

Uh, what's going on here?

hdev is:

struct hci_dev {
	...
        const char      *name;

ni is:

struct hci_mon_new_index {
        char            name[8];

You can't use "strlen" here in the case that "hdev->name" is larger than
8 bytes.

Also, why memcpy() and not strscpy()? Is this supposed to be padded out
with %NUL bytes? It appears to be sent over the network, so "yes" seems
to be the safe answer.

Should ni->name be always %NUL terminated? That I can't tell for sure,
but I assume "no", because the solution was to explicitly copy all the
bytes _except_ the %NUL byte (using strlen).

struct hci_mon_new_index's "name" should be marked __nonstring, and
instead strtomem_pad() should be used instead of memcpy.

-Kees

>  
>  		opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
>  		break;
> -- 
> 2.25.1
> 

-- 
Kees Cook