Fw: [Bug 219142] New: Potential Null Pointer Dereference in pair

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* Fw: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c
@ 2024-08-09 15:16 Stephen Hemminger
  2024-08-09 15:24 ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Hemminger @ 2024-08-09 15:16 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz; +Cc: linux-bluetooth

Network bugzilla bugs get routed to me and I forward them to the mailing list.

Begin forwarded message:

Date: Fri, 09 Aug 2024 07:10:04 +0000
From: bugzilla-daemon@kernel.org
To: stephen@networkplumber.org
Subject: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c

https://bugzilla.kernel.org/show_bug.cgi?id=219142

            Bug ID: 219142
           Summary: Potential Null Pointer Dereference in pair_device() in
                    mgmt.c
           Product: Networking
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: stephen@networkplumber.org
          Reporter: yiweiz.evie@gmail.com
        Regression: No

The details of the bug are as follows:

1. Affected Components
Function: linux/net/bluetooth/hci_core.c hci_conn_params_add
Function: linux/net/bluetooth/mgmt.c pair_device
Module: Bluetooth connection parameter management
Code: https://github.com/torvalds/linux/tree/master

GitHub - torvalds/linux: Linux kernel source tree
Linux kernel source tree. Contribute to torvalds/linux development by creating
an account on GitHub.
github.com

Version: the newest version v6.11-rc1

2. Description
The hci_conn_params_add function is responsible for adding connection
parameters for a Bluetooth device. It first attempts to look up existing
parameters using hci_conn_params_lookup. If no existing parameters are found,
it allocates a new structure using kzalloc, which will return NULL if the
allocation fails. 
However, the pair_device function, which calls hci_conn_params_add, does not
properly handle the case where hci_conn_params_add returns NULL, indicating a
failure to allocate memory. The immediate dereference of the returned pointer p
without checking for NULL can lead to a null pointer dereference, causing the
program to crash.

3. Technical Details
struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
                                            bdaddr_t *addr, u8 addr_type)
{
        struct hci_conn_params *params;

        params = hci_conn_params_lookup(hdev, addr, addr_type);
        if (params)
                return params;

        params = kzalloc(sizeof(*params), GFP_KERNEL);
        if (!params) {
                bt_dev_err(hdev, "out of memory");
                return NULL; // [BUG] return here
        }

        bacpy(&params->addr, addr);
        params->addr_type = addr_type;

        list_add(&params->list, &hdev->le_conn_params);
        INIT_LIST_HEAD(&params->action);

        params->conn_min_interval = hdev->le_conn_min_interval;
        params->conn_max_interval = hdev->le_conn_max_interval;
        params->conn_latency = hdev->le_conn_latency;
        params->supervision_timeout = hdev->le_supv_timeout;
        params->auto_connect = HCI_AUTO_CONN_DISABLED;

        BT_DBG("addr %pMR (type %u)", addr, addr_type);

        return params;
}

static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
                       u16 len)
{
...
        p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type; // [BUG] P
is NULL
        if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) // [BUG] NULL POINTER
DEREFERENCE
                p->auto_connect = HCI_AUTO_CONN_DISABLED;
...
}

Vulnerable Code Stack:
pair_device calls hci_conn_params_add at line 3458 in
linux/net/bluetooth/mgmt.c
hci_conn_params_add is called and may return NULL if memory allocation fails at
line 2280 in linux/net/bluetooth/hci_core.c
pair_device does not check if p is NULL before accessing p->auto_connect. at
line 3460 in linux/net/bluetooth/mgmt.c

4. Potential Impact
Denial of Service (DoS): If the system encounters this null pointer dereference
during runtime, it could crash, leading to a denial of service. 
Security Concerns: While the primary issue appears to be a potential crash,
depending on the context and how the function is used, there may be other
security implications such as unintended code execution or information leakage.

5. Exploitation
For an attacker to exploit this vulnerability, they would need to:
Trigger a condition where hci_conn_params_add returns NULL (such as exhausting
system memory).
Ensure that the pair_device function is subsequently called with the NULL
pointer, causing the null pointer dereference.

6. Mitigation and Recommendations
Null Pointer Check: Add a null pointer check after the call to
hci_conn_params_add in the pair_devicefunction. Ensure that the function
gracefully handles the NULL case, possibly by returning an error code or taking
other corrective actions.
Example:
p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
if (!p) {
    bt_dev_err(hdev, "Failed to add connection params");
    return -ENOMEM;
}

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Fw: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c
  2024-08-09 15:16 Fw: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c Stephen Hemminger
@ 2024-08-09 15:24 ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2024-08-09 15:24 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: Marcel Holtmann, linux-bluetooth

Hi Stephen,

On Fri, Aug 9, 2024 at 11:16 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> Network bugzilla bugs get routed to me and I forward them to the mailing list.
>
> Begin forwarded message:
>
> Date: Fri, 09 Aug 2024 07:10:04 +0000
> From: bugzilla-daemon@kernel.org
> To: stephen@networkplumber.org
> Subject: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=219142
>
>             Bug ID: 219142
>            Summary: Potential Null Pointer Dereference in pair_device() in
>                     mgmt.c
>            Product: Networking
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: Other
>           Assignee: stephen@networkplumber.org
>           Reporter: yiweiz.evie@gmail.com
>         Regression: No
>
> The details of the bug are as follows:
>
>
> 1. Affected Components
> Function: linux/net/bluetooth/hci_core.c hci_conn_params_add
> Function: linux/net/bluetooth/mgmt.c pair_device
> Module: Bluetooth connection parameter management
> Code: https://github.com/torvalds/linux/tree/master
>
> GitHub - torvalds/linux: Linux kernel source tree
> Linux kernel source tree. Contribute to torvalds/linux development by creating
> an account on GitHub.
> github.com
>
> Version: the newest version v6.11-rc1
>
> 2. Description
> The hci_conn_params_add function is responsible for adding connection
> parameters for a Bluetooth device. It first attempts to look up existing
> parameters using hci_conn_params_lookup. If no existing parameters are found,
> it allocates a new structure using kzalloc, which will return NULL if the
> allocation fails.
> However, the pair_device function, which calls hci_conn_params_add, does not
> properly handle the case where hci_conn_params_add returns NULL, indicating a
> failure to allocate memory. The immediate dereference of the returned pointer p
> without checking for NULL can lead to a null pointer dereference, causing the
> program to crash.
>
> 3. Technical Details
> struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
>                                             bdaddr_t *addr, u8 addr_type)
> {
>         struct hci_conn_params *params;
>
>         params = hci_conn_params_lookup(hdev, addr, addr_type);
>         if (params)
>                 return params;
>
>         params = kzalloc(sizeof(*params), GFP_KERNEL);
>         if (!params) {
>                 bt_dev_err(hdev, "out of memory");
>                 return NULL; // [BUG] return here
>         }
>
>         bacpy(&params->addr, addr);
>         params->addr_type = addr_type;
>
>         list_add(&params->list, &hdev->le_conn_params);
>         INIT_LIST_HEAD(&params->action);
>
>         params->conn_min_interval = hdev->le_conn_min_interval;
>         params->conn_max_interval = hdev->le_conn_max_interval;
>         params->conn_latency = hdev->le_conn_latency;
>         params->supervision_timeout = hdev->le_supv_timeout;
>         params->auto_connect = HCI_AUTO_CONN_DISABLED;
>
>         BT_DBG("addr %pMR (type %u)", addr, addr_type);
>
>         return params;
> }
>
> static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
>                        u16 len)
> {
> ...
>         p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type; // [BUG] P
> is NULL
>         if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) // [BUG] NULL POINTER
> DEREFERENCE
>                 p->auto_connect = HCI_AUTO_CONN_DISABLED;
> ...
> }
>
> Vulnerable Code Stack:
> pair_device calls hci_conn_params_add at line 3458 in
> linux/net/bluetooth/mgmt.c
> hci_conn_params_add is called and may return NULL if memory allocation fails at
> line 2280 in linux/net/bluetooth/hci_core.c
> pair_device does not check if p is NULL before accessing p->auto_connect. at
> line 3460 in linux/net/bluetooth/mgmt.c
>
> 4. Potential Impact
> Denial of Service (DoS): If the system encounters this null pointer dereference
> during runtime, it could crash, leading to a denial of service.
> Security Concerns: While the primary issue appears to be a potential crash,
> depending on the context and how the function is used, there may be other
> security implications such as unintended code execution or information leakage.
>
> 5. Exploitation
> For an attacker to exploit this vulnerability, they would need to:
> Trigger a condition where hci_conn_params_add returns NULL (such as exhausting
> system memory).
> Ensure that the pair_device function is subsequently called with the NULL
> pointer, causing the null pointer dereference.
>
> 6. Mitigation and Recommendations
> Null Pointer Check: Add a null pointer check after the call to
> hci_conn_params_add in the pair_devicefunction. Ensure that the function
> gracefully handles the NULL case, possibly by returning an error code or taking
> other corrective actions.
> Example:
> p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
> if (!p) {
>     bt_dev_err(hdev, "Failed to add connection params");
>     return -ENOMEM;
> }

That sounds like a very trivial fix actually, not sure why the
reporter didn't just send a patch.

> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are the assignee for the bug.



-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-08-09 15:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-09 15:16 Fw: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c Stephen Hemminger
2024-08-09 15:24 ` Luiz Augusto von Dentz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox