Unverified Commit 9f8392b4 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14666 Bluetooth: btmtk: avoid UAF in btmtk_process_coredump 

Merge Pull Request from: @ci-robot 
 
PR sync from: Lin Ruifeng <linruifeng4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Q7RBEALLPSJLKSL7OYVAIOMW46UOGCF4/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBEAOV 
 
Link:https://gitee.com/openeuler/kernel/pulls/14666

 

Reviewed-by: default avatarWeilong Chen <chenweilong@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents aff86050 6696e5c1

drivers/bluetooth/btmtk.c

+12 −8
Original line number Diff line number Diff line
@@ -371,6 +371,7 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb) 
{

	struct btmediatek_data *data = hci_get_priv(hdev);

	int err;

	bool complete = false;



	if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) {

		kfree_skb(skb);
@@ -392,16 +393,19 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb) 
		fallthrough;

	case HCI_DEVCOREDUMP_ACTIVE:

	default:

		/* Mediatek coredump data would be more than MTK_COREDUMP_NUM */

		if (data->cd_info.cnt >= MTK_COREDUMP_NUM &&

		    skb->len > MTK_COREDUMP_END_LEN)

			if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],

				    MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1))

				complete = true;



		err = hci_devcd_append(hdev, skb);

		if (err < 0)

			break;

		data->cd_info.cnt++;



		/* Mediatek coredump data would be more than MTK_COREDUMP_NUM */

		if (data->cd_info.cnt > MTK_COREDUMP_NUM &&

		    skb->len > MTK_COREDUMP_END_LEN)

			if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],

				    MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) {

		if (complete) {

			bt_dev_info(hdev, "Mediatek coredump end");

			hci_devcd_complete(hdev);

		}