[PATCH v4] Bluetooth: btmtk: Fix null pointer when processing coredump

[PATCH v4] Bluetooth: btmtk: Fix null pointer when processing coredump

[Chris Lu]

There may be a potential null pointer risk if offset value is
less than 0 when doing memcmp in btmtk_process_coredump().
Check offset is valid before doing memcmp.

Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
v2: fix typo
v3: fix bot checking error
v4: reduce variable 'offset' declaration in v3
---
 drivers/bluetooth/btmtk.c | 12 ++++++------
 drivers/bluetooth/btmtk.h |  1 +
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 786f775196ae..9cc789272ab7 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -395,12 +395,12 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
 
 		/* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
 		if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
-		    skb->len > sizeof(MTK_COREDUMP_END) &&
-		    !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
-			    MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
-			bt_dev_info(hdev, "Mediatek coredump end");
-			hci_devcd_complete(hdev);
-		}
+		    skb->len > MTK_COREDUMP_END_LEN)
+			if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],
+			    MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) {
+				bt_dev_info(hdev, "Mediatek coredump end");
+				hci_devcd_complete(hdev);
+			}
 
 		break;
 	}
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index 68309dfe076a..56f5502baadf 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -24,6 +24,7 @@
 
 #define MTK_COREDUMP_SIZE		(1024 * 1000)
 #define MTK_COREDUMP_END		"coredump end"
+#define MTK_COREDUMP_END_LEN		(sizeof(MTK_COREDUMP_END))
 #define MTK_COREDUMP_NUM		255
 
 enum {
-- 
2.18.0

RE: [v4] Bluetooth: btmtk: Fix null pointer when processing coredump

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=764864

---Test result---

Test Summary:
CheckPatch                    PASS      0.76 seconds
GitLint                       PASS      0.28 seconds
SubjectPrefix                 PASS      0.10 seconds
BuildKernel                   PASS      32.72 seconds
CheckAllWarning               PASS      35.67 seconds
CheckSparse                   PASS      40.50 seconds
CheckSmatch                   PASS      113.44 seconds
BuildKernel32                 PASS      31.76 seconds
TestRunnerSetup               PASS      477.48 seconds
TestRunner_l2cap-tester       PASS      22.23 seconds
TestRunner_iso-tester         PASS      39.87 seconds
TestRunner_bnep-tester        PASS      10.26 seconds
TestRunner_mgmt-tester        PASS      212.08 seconds
TestRunner_rfcomm-tester      PASS      15.16 seconds
TestRunner_sco-tester         PASS      15.95 seconds
TestRunner_ioctl-tester       PASS      17.20 seconds
TestRunner_mesh-tester        PASS      12.71 seconds
TestRunner_smp-tester         PASS      13.75 seconds
TestRunner_userchan-tester    PASS      10.54 seconds
IncrementalBuild              PASS      29.52 seconds



---
Regards,
Linux Bluetooth

Re: [PATCH v4] Bluetooth: btmtk: Fix null pointer when processing coredump

[Luiz Augusto von Dentz]

Hi Chris,

On Wed, Jul 12, 2023 at 6:03 AM Chris Lu <chris.lu@mediatek.com> wrote:
>
> There may be a potential null pointer risk if offset value is
> less than 0 when doing memcmp in btmtk_process_coredump().
> Check offset is valid before doing memcmp.
>
> Signed-off-by: Chris Lu <chris.lu@mediatek.com>
> Co-developed-by: Sean Wang <sean.wang@mediatek.com>
> Signed-off-by: Sean Wang <sean.wang@mediatek.com>

You should probably include the Fixes tag of the patch that introduced
the problem.

> ---
> v2: fix typo
> v3: fix bot checking error
> v4: reduce variable 'offset' declaration in v3
> ---
>  drivers/bluetooth/btmtk.c | 12 ++++++------
>  drivers/bluetooth/btmtk.h |  1 +
>  2 files changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index 786f775196ae..9cc789272ab7 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -395,12 +395,12 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
>
>                 /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
>                 if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
> -                   skb->len > sizeof(MTK_COREDUMP_END) &&
> -                   !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
> -                           MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
> -                       bt_dev_info(hdev, "Mediatek coredump end");
> -                       hci_devcd_complete(hdev);
> -               }
> +                   skb->len > MTK_COREDUMP_END_LEN)
> +                       if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],
> +                           MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) {
> +                               bt_dev_info(hdev, "Mediatek coredump end");
> +                               hci_devcd_complete(hdev);
> +                       }
>
>                 break;
>         }
> diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> index 68309dfe076a..56f5502baadf 100644
> --- a/drivers/bluetooth/btmtk.h
> +++ b/drivers/bluetooth/btmtk.h
> @@ -24,6 +24,7 @@
>
>  #define MTK_COREDUMP_SIZE              (1024 * 1000)
>  #define MTK_COREDUMP_END               "coredump end"
> +#define MTK_COREDUMP_END_LEN           (sizeof(MTK_COREDUMP_END))
>  #define MTK_COREDUMP_NUM               255
>
>  enum {
> --
> 2.18.0
>


-- 
Luiz Augusto von Dentz

Re: [PATCH v4] Bluetooth: btmtk: Fix null pointer when processing coredump

[Chris Lu (陸稚泓)]

On Wed, 2023-07-12 at 13:29 -0700, Luiz Augusto von Dentz wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  Hi Chris,
> 
> On Wed, Jul 12, 2023 at 6:03 AM Chris Lu <chris.lu@mediatek.com>
> wrote:
> >
> > There may be a potential null pointer risk if offset value is
> > less than 0 when doing memcmp in btmtk_process_coredump().
> > Check offset is valid before doing memcmp.
> >
> > Signed-off-by: Chris Lu <chris.lu@mediatek.com>
> > Co-developed-by: Sean Wang <sean.wang@mediatek.com>
> > Signed-off-by: Sean Wang <sean.wang@mediatek.com>
> 
> You should probably include the Fixes tag of the patch that
> introduced
> the problem.
> 
Hi Luiz,

Thanks for reminding, I'll update Bug ad fixs info in commit message
and send the v5 patch.

BRs,
Chris

> > ---
> > v2: fix typo
> > v3: fix bot checking error
> > v4: reduce variable 'offset' declaration in v3
> > ---
> >  drivers/bluetooth/btmtk.c | 12 ++++++------
> >  drivers/bluetooth/btmtk.h |  1 +
> >  2 files changed, 7 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > index 786f775196ae..9cc789272ab7 100644
> > --- a/drivers/bluetooth/btmtk.c
> > +++ b/drivers/bluetooth/btmtk.c
> > @@ -395,12 +395,12 @@ int btmtk_process_coredump(struct hci_dev
> *hdev, struct sk_buff *skb)
> >
> >                 /* Mediatek coredump data would be more than
> MTK_COREDUMP_NUM */
> >                 if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
> > -                   skb->len > sizeof(MTK_COREDUMP_END) &&
> > -                   !memcmp((char *)&skb->data[skb->len -
> sizeof(MTK_COREDUMP_END)],
> > -                           MTK_COREDUMP_END,
> sizeof(MTK_COREDUMP_END) - 1)) {
> > -                       bt_dev_info(hdev, "Mediatek coredump end");
> > -                       hci_devcd_complete(hdev);
> > -               }
> > +                   skb->len > MTK_COREDUMP_END_LEN)
> > +                       if (!memcmp((char *)&skb->data[skb->len -
> MTK_COREDUMP_END_LEN],
> > +                           MTK_COREDUMP_END, MTK_COREDUMP_END_LEN
> - 1)) {
> > +                               bt_dev_info(hdev, "Mediatek
> coredump end");
> > +                               hci_devcd_complete(hdev);
> > +                       }
> >
> >                 break;
> >         }
> > diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> > index 68309dfe076a..56f5502baadf 100644
> > --- a/drivers/bluetooth/btmtk.h
> > +++ b/drivers/bluetooth/btmtk.h
> > @@ -24,6 +24,7 @@
> >
> >  #define MTK_COREDUMP_SIZE              (1024 * 1000)
> >  #define MTK_COREDUMP_END               "coredump end"
> > +#define MTK_COREDUMP_END_LEN           (sizeof(MTK_COREDUMP_END))
> >  #define MTK_COREDUMP_NUM               255
> >
> >  enum {
> > --
> > 2.18.0
> >
> 
> 
> -- 
> Luiz Augusto von Dentz