| Message ID | tencent_D423A78448F764177A26CAB3716365096705@qq.com (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | Bluetooth: fix oob in sco_sock_setsockopt | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | fail | error: patch failed: net/bluetooth/sco.c:890 error: net/bluetooth/sco.c: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch |
Hi Edward, On Tue, Apr 9, 2024 at 9:49 AM Edward Adam Davis <eadavis@qq.com> wrote: > > If optlen < sizeof(u32) it will trigger oob, so take the min of them. > > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > net/bluetooth/sco.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > index 43daf965a01e..815646d9e72b 100644 > --- a/net/bluetooth/sco.c > +++ b/net/bluetooth/sco.c > @@ -890,7 +890,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, > break; > > case BT_PKT_STATUS: > - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { > + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) { > err = -EFAULT; > break; > } > -- > 2.43.0 https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=289bfd91fcf22f7864f3817acff5d8ce9fe73307
This is an automated email and please do not reply to this email. Dear Submitter, Thank you for submitting the patches to the linux bluetooth mailing list. While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository. ----- Output ----- error: patch failed: net/bluetooth/sco.c:890 error: net/bluetooth/sco.c: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch Please resolve the issue and submit the patches again. --- Regards, Linux Bluetooth
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 43daf965a01e..815646d9e72b 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -890,7 +890,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_PKT_STATUS: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) { err = -EFAULT; break; }
If optlen < sizeof(u32) it will trigger oob, so take the min of them. Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/bluetooth/sco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)