From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: Soenke Huster <soenke.huster@eknoes•de>,
Luiz Augusto von Dentz <luiz.von.dentz@intel•com>,
Sasha Levin <sashal@kernel•org>,
marcel@holtmann•org, johan.hedberg@gmail•com,
luiz.dentz@gmail•com, davem@davemloft•net, kuba@kernel•org,
pabeni@redhat•com, linux-bluetooth@vger•kernel.org,
netdev@vger•kernel.org
Subject: [PATCH AUTOSEL 5.17 009/149] Bluetooth: hci_event: Ignore multiple conn complete events
Date: Fri, 1 Apr 2022 10:23:16 -0400 [thread overview]
Message-ID: <20220401142536.1948161-9-sashal@kernel.org> (raw)
In-Reply-To: <20220401142536.1948161-1-sashal@kernel.org>
From: Soenke Huster <soenke.huster@eknoes•de>
[ Upstream commit d5ebaa7c5f6f688959e8d40840b2249ede63b8ed ]
When one of the three connection complete events is received multiple
times for the same handle, the device is registered multiple times which
leads to memory corruptions. Therefore, consequent events for a single
connection are ignored.
The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET
is introduced to identify new connections. To make sure the events do not
contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks
are introduced.
Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497
Signed-off-by: Soenke Huster <soenke.huster@eknoes•de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel•com>
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
include/net/bluetooth/hci_core.h | 3 ++
net/bluetooth/hci_conn.c | 1 +
net/bluetooth/hci_event.c | 63 ++++++++++++++++++++++++--------
3 files changed, 52 insertions(+), 15 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index e336e9c1dda4..36d727f94ac2 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -294,6 +294,9 @@ struct adv_monitor {
#define HCI_MAX_SHORT_NAME_LENGTH 10
+#define HCI_CONN_HANDLE_UNSET 0xffff
+#define HCI_CONN_HANDLE_MAX 0x0eff
+
/* Min encryption key size to match with SMP */
#define HCI_MIN_ENC_KEY_SIZE 7
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 04ebe901e86f..d10651108033 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -689,6 +689,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
bacpy(&conn->dst, dst);
bacpy(&conn->src, &hdev->bdaddr);
+ conn->handle = HCI_CONN_HANDLE_UNSET;
conn->hdev = hdev;
conn->type = type;
conn->role = role;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index e47cde778b1c..4d45fd4b8ccd 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3068,6 +3068,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
struct hci_ev_conn_complete *ev = data;
struct hci_conn *conn;
+ if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) {
+ bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle");
+ return;
+ }
+
bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
hci_dev_lock(hdev);
@@ -3106,6 +3111,17 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
}
}
+ /* The HCI_Connection_Complete event is only sent once per connection.
+ * Processing it more than once per connection can corrupt kernel memory.
+ *
+ * As the connection handle is set here for the first time, it indicates
+ * whether the connection is already set up.
+ */
+ if (conn->handle != HCI_CONN_HANDLE_UNSET) {
+ bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
+ goto unlock;
+ }
+
if (!ev->status) {
conn->handle = __le16_to_cpu(ev->handle);
@@ -4674,6 +4690,11 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
return;
}
+ if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) {
+ bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete for invalid handle");
+ return;
+ }
+
bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
hci_dev_lock(hdev);
@@ -4697,23 +4718,19 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
goto unlock;
}
+ /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
+ * Processing it more than once per connection can corrupt kernel memory.
+ *
+ * As the connection handle is set here for the first time, it indicates
+ * whether the connection is already set up.
+ */
+ if (conn->handle != HCI_CONN_HANDLE_UNSET) {
+ bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
+ goto unlock;
+ }
+
switch (ev->status) {
case 0x00:
- /* The synchronous connection complete event should only be
- * sent once per new connection. Receiving a successful
- * complete event when the connection status is already
- * BT_CONNECTED means that the device is misbehaving and sent
- * multiple complete event packets for the same new connection.
- *
- * Registering the device more than once can corrupt kernel
- * memory, hence upon detecting this invalid event, we report
- * an error and ignore the packet.
- */
- if (conn->state == BT_CONNECTED) {
- bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
- goto unlock;
- }
-
conn->handle = __le16_to_cpu(ev->handle);
conn->state = BT_CONNECTED;
conn->type = ev->link_type;
@@ -5509,6 +5526,11 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
struct smp_irk *irk;
u8 addr_type;
+ if (handle > HCI_CONN_HANDLE_MAX) {
+ bt_dev_err(hdev, "Ignoring HCI_LE_Connection_Complete for invalid handle");
+ return;
+ }
+
hci_dev_lock(hdev);
/* All controllers implicitly stop advertising in the event of a
@@ -5550,6 +5572,17 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
cancel_delayed_work(&conn->le_conn_timeout);
}
+ /* The HCI_LE_Connection_Complete event is only sent once per connection.
+ * Processing it more than once per connection can corrupt kernel memory.
+ *
+ * As the connection handle is set here for the first time, it indicates
+ * whether the connection is already set up.
+ */
+ if (conn->handle != HCI_CONN_HANDLE_UNSET) {
+ bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
+ goto unlock;
+ }
+
le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
/* Lookup the identity address from the stored connection
--
2.34.1
next prev parent reply other threads:[~2022-04-01 14:26 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220401142536.1948161-1-sashal@kernel.org>
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 002/149] Bluetooth: hci_sync: Fix compilation warning Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 003/149] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 004/149] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt Sasha Levin
2022-04-01 14:23 ` Sasha Levin [this message]
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 017/149] ptp: replace snprintf with sysfs_emit Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 018/149] Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 019/149] selftests, xsk: Fix bpf_res cleanup test Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 020/149] net/mlx5e: TC, Hold sample_attr on stack instead of pointer Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 025/149] mlxsw: spectrum: Guard against invalid local ports Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 029/149] ath11k: fix kernel panic during unload/load ath11k modules Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 030/149] ath11k: pci: fix crash on suspend if board file is not found Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 031/149] ath11k: mhi: use mhi_sync_power_up() Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 032/149] net/smc: Send directly when TCP_CORK is cleared Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 034/149] bpf: Make dst_port field in struct bpf_sock 16-bit wide Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 039/149] mt76: mt7921: fix crash when startup fails Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 040/149] mt76: dma: initialize skip_unmap in mt76_dma_rx_fill Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 041/149] i40e: Add sending commands in atomic context Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 042/149] cfg80211: don't add non transmitted BSS to 6GHz scanned channels Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 043/149] libbpf: Fix build issue with llvm-readelf Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 044/149] ipv6: make mc_forwarding atomic Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 046/149] net: initialize init_net earlier Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 060/149] libbpf: Fix accessing syscall arguments on powerpc Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 061/149] libbpf: Fix accessing the first syscall argument on arm64 Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 062/149] libbpf: Fix accessing the first syscall argument on s390 Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 064/149] tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 074/149] net/mlx5e: Disable TX queues before registering the netdev Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 078/149] iwlwifi: mvm: Correctly set fragmented EBS Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 079/149] iwlwifi: mvm: Passively scan non PSC channels only when requested so Sasha Levin
2022-04-01 14:52 ` Ben Greear
2022-04-09 14:04 ` Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 080/149] iwlwifi: fix small doc mistake for iwl_fw_ini_addr_val Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 081/149] iwlwifi: mvm: move only to an enabled channel Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 082/149] ipv6: annotate some data-races around sk->sk_prot Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 085/149] rtw89: fix RCU usage in rtw89_core_txq_push() Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 086/149] ath11k: Fix frames flush failure caused by deadlock Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 087/149] ipv4: Invalidate neighbour for broadcast address upon address addition Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 088/149] rtw88: change rtw_info() to proper message level Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 099/149] mt76: mt7915: fix injected MPDU transmission to not use HW A-MSDU Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 101/149] mctp: make __mctp_dev_get() take a refcount hold Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 103/149] mt76: mt7615: Fix assigning negative values to unsigned variable Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 109/149] net/smc: correct settings of RMB window update limit Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 111/149] iavf: stop leaking iavf_status as "errno" values Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 112/149] macvtap: advertise link netns via netlink Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 114/149] tuntap: add sanity checks about msg_controllen in sendmsg Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 117/149] Bluetooth: Fix not checking for valid hdev on bt_dev_{info,warn,err,dbg} Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 118/149] Bluetooth: use memset avoid memory leaks Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 119/149] bnxt_en: Eliminate unintended link toggle during FW reset Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 123/149] powerpc/64e: Tie PPC_BOOK3E_64 to PPC_FSL_BOOK3E Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 127/149] can: isotp: set default value for N_As to 50 micro seconds Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 128/149] can: etas_es58x: es58x_fd_rx_event_msg(): initialize rx_event_msg before calling es58x_check_msg_len() Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 130/149] net: account alternate interface name memory Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 131/149] net: limit altnames to 64k total Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 132/149] net/mlx5e: Remove overzealous validations in netlink EEPROM query Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 135/149] net: sfp: add 2500base-X quirk for Lantech SFP module Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 138/149] mt76: fix monitor mode crash with sdio driver Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 140/149] iwlwifi: mei: fix building iwlmei Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 142/149] Bluetooth: Fix use after free in hci_send_acl Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 143/149] netfilter: conntrack: revisit gc autotuning Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 144/149] netlabel: fix out-of-bounds memory accesses Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401142536.1948161-9-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=davem@davemloft$(echo .)net \
--cc=johan.hedberg@gmail$(echo .)com \
--cc=kuba@kernel$(echo .)org \
--cc=linux-bluetooth@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=luiz.dentz@gmail$(echo .)com \
--cc=luiz.von.dentz@intel$(echo .)com \
--cc=marcel@holtmann$(echo .)org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=pabeni@redhat$(echo .)com \
--cc=soenke.huster@eknoes$(echo .)de \
--cc=stable@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox