Bluetooth: ISO: Fix memory corruption

Commit Message

Luiz Augusto von Dentz July 29, 2022, 6:10 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The following memory corruption can happen since iso_pinfo.base size
did not account for its headers (4 bytes):

net/bluetooth/eir.c
    76          memcpy(&eir[eir_len], data, data_len);
                            ^^^^^^^         ^^^^^^^^
    77          eir_len += data_len;
    78
    79          return eir_len;
    80  }

The "eir" buffer has 252 bytes and data_len is 252 but we do a memcpy()
to &eir[4] so this can corrupt 4 bytes beyond the end of the buffer.

Fixes: f764a6c2c1e4: "Bluetooth: ISO: Add broadcast support"
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/bluetooth/iso.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com July 29, 2022, 7:20 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=664152

---Test result---

Test Summary:
CheckPatch                    PASS      0.86 seconds
GitLint                       PASS      0.45 seconds
SubjectPrefix                 PASS      0.29 seconds
BuildKernel                   PASS      43.03 seconds
BuildKernel32                 PASS      38.11 seconds
Incremental Build with patchesPASS      52.80 seconds
TestRunner: Setup             PASS      632.61 seconds
TestRunner: l2cap-tester      PASS      21.11 seconds
TestRunner: bnep-tester       PASS      8.31 seconds
TestRunner: mgmt-tester       PASS      128.66 seconds
TestRunner: rfcomm-tester     PASS      12.15 seconds
TestRunner: sco-tester        PASS      11.77 seconds
TestRunner: smp-tester        PASS      11.62 seconds
TestRunner: userchan-tester   PASS      8.31 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org Aug. 1, 2022, 9:15 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri, 29 Jul 2022 11:10:41 -0700 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> The following memory corruption can happen since iso_pinfo.base size
> did not account for its headers (4 bytes):
> 
> net/bluetooth/eir.c
>     76          memcpy(&eir[eir_len], data, data_len);
>                             ^^^^^^^         ^^^^^^^^
>     77          eir_len += data_len;
>     78
>     79          return eir_len;
>     80  }
> 
> [...]

Here is the summary with links:
  - Bluetooth: ISO: Fix memory corruption
    https://git.kernel.org/bluetooth/bluetooth-next/c/c5d36b8a7dbd

You are awesome, thank you!

Patch

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index dded22cde0d1..70c2dd30cb13 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -44,6 +44,9 @@  static void iso_sock_kill(struct sock *sk);
 /* ----- ISO socket info ----- */
 #define iso_pi(sk) ((struct iso_pinfo *)sk)
 
+#define EIR_SERVICE_DATA_LENGTH 4
+#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+
 struct iso_pinfo {
 	struct bt_sock		bt;
 	bdaddr_t		src;
@@ -57,7 +60,7 @@  struct iso_pinfo {
 	__u32			flags;
 	struct bt_iso_qos	qos;
 	__u8			base_len;
-	__u8			base[HCI_MAX_PER_AD_LENGTH];
+	__u8			base[BASE_MAX_LENGTH];
 	struct iso_conn		*conn;
 };