Commit 3e68a689 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Tirui Yin
Browse files

Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet 

stable inclusion
from stable-v6.6.66
commit 5e50d12cc6e95e1fde08f5db6992b616f714b0fb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANH
CVE: CVE-2024-56590

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5e50d12cc6e95e1fde08f5db6992b616f714b0fb



--------------------------------

[ Upstream commit 3fe288a8214e7dd784d1f9b7c9e448244d316b47 ]

This fixes not checking if skb really contains an ACL header otherwise
the code may attempt to access some uninitilized/invalid memory past the
valid skb->data.

Reported-by: default avatar <syzbot+6ea290ba76d8c1eb1ac2@syzkaller.appspotmail.com>
Tested-by: default avatar <syzbot+6ea290ba76d8c1eb1ac2@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=6ea290ba76d8c1eb1ac2


Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarTirui Yin <yintirui@huawei.com>
Reviewed-by: default avataryongqiang Liu <liuyongqiang13@huawei.com>
parent a5cbe5b7

net/bluetooth/hci_core.c

+9 −4
Original line number Diff line number Diff line
@@ -3735,17 +3735,21 @@ static void hci_tx_work(struct work_struct *work) 
/* ACL data packet */

static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)

{

	struct hci_acl_hdr *hdr = (void *) skb->data;

	struct hci_acl_hdr *hdr;

	struct hci_conn *conn;

	__u16 handle, flags;



	skb_pull(skb, HCI_ACL_HDR_SIZE);

	hdr = skb_pull_data(skb, sizeof(*hdr));

	if (!hdr) {

		bt_dev_err(hdev, "ACL packet too small");

		goto drop;

	}



	handle = __le16_to_cpu(hdr->handle);

	flags  = hci_flags(handle);

	handle = hci_handle(handle);



	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,

	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,

		   handle, flags);



	hdev->stat.acl_rx++;
@@ -3765,6 +3769,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 
			   handle);

	}



drop:

	kfree_skb(skb);

}