* [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment
@ 2024-05-24 8:43 bugzilla-daemon
2024-05-24 8:44 ` [Bug 218880] " bugzilla-daemon
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: bugzilla-daemon @ 2024-05-24 8:43 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=218880
Bug ID: 218880
Summary: HCI_EVT Packet 'Flush Occurred' Misalignment
Product: Drivers
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Bluetooth
Assignee: linux-bluetooth@vger.kernel.org
Reporter: yuxuanhu@buaa.edu.cn
Regression: No
Hi All,
Our fuzzing tool found a possible bug when testing Bluetooth RFCOMM connection:
(1) A 'Flush Occurred' HCI_EVT packet with incorrect 'parameter_total_length'
field and parameters was maliciously sent to the host (hexadecimal content: '11
3D C4 02 62 D1').
(2) Because 'hci_ev_table'(/net/bluetooth/hci_event.c: 7514) does not include
'Flush Occurred' event, the function hci_event_func(/net/bluetooth/hci_event.c:
7644) doesn't check the 'parameter_total_length' field of this packet.
(3) When the controller transmits additional HCI packets to the host, these
packets are concatenated to the previously mentioned Flush Occurred packet.
This results in the packets being disregarded by the host.
Attachment 1 is Kernel Log, which includes the printed HCI packet interactions
between the host and controller. All HCI packets following the line mentioned
below are ignored by the host:
'''
[ 1555.520646] <- [EVT] 11 3D C4 02 62 D1
'''
Attachment 2 contains packet captures from tshark.
It remains unclear whether this behavior constitutes a bug or a feature. We
apologize if this inquiry causes any offense.
Thank you very much for taking the time to read.
Best Regard,
Yuxuan Hu.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 218880] HCI_EVT Packet 'Flush Occurred' Misalignment
2024-05-24 8:43 [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment bugzilla-daemon
@ 2024-05-24 8:44 ` bugzilla-daemon
2024-05-24 8:45 ` bugzilla-daemon
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2024-05-24 8:44 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=218880
Yuxuan Hu (yuxuanhu@buaa.edu.cn) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |johan.hedberg@gmail.com,
| |yuxuanhu@buaa.edu.cn
Kernel Version| |6.7.9
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 218880] HCI_EVT Packet 'Flush Occurred' Misalignment
2024-05-24 8:43 [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment bugzilla-daemon
2024-05-24 8:44 ` [Bug 218880] " bugzilla-daemon
@ 2024-05-24 8:45 ` bugzilla-daemon
2024-05-24 8:48 ` bugzilla-daemon
2024-05-24 8:48 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2024-05-24 8:45 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=218880
Yuxuan Hu (yuxuanhu@buaa.edu.cn) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |linux-bluetooth@vger.kernel
| |.org
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 218880] HCI_EVT Packet 'Flush Occurred' Misalignment
2024-05-24 8:43 [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment bugzilla-daemon
2024-05-24 8:44 ` [Bug 218880] " bugzilla-daemon
2024-05-24 8:45 ` bugzilla-daemon
@ 2024-05-24 8:48 ` bugzilla-daemon
2024-05-24 8:48 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2024-05-24 8:48 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=218880
--- Comment #1 from Yuxuan Hu (yuxuanhu@buaa.edu.cn) ---
Created attachment 306328
--> https://bugzilla.kernel.org/attachment.cgi?id=306328&action=edit
Kernel Log including HCI packets
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 218880] HCI_EVT Packet 'Flush Occurred' Misalignment
2024-05-24 8:43 [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment bugzilla-daemon
` (2 preceding siblings ...)
2024-05-24 8:48 ` bugzilla-daemon
@ 2024-05-24 8:48 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2024-05-24 8:48 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=218880
--- Comment #2 from Yuxuan Hu (yuxuanhu@buaa.edu.cn) ---
Created attachment 306329
--> https://bugzilla.kernel.org/attachment.cgi?id=306329&action=edit
TShark pcap file
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-05-24 8:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-24 8:43 [Bug 218880] New: HCI_EVT Packet 'Flush Occurred' Misalignment bugzilla-daemon
2024-05-24 8:44 ` [Bug 218880] " bugzilla-daemon
2024-05-24 8:45 ` bugzilla-daemon
2024-05-24 8:48 ` bugzilla-daemon
2024-05-24 8:48 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).