Hi Stephen, On Fri, Aug 9, 2024 at 11:16 AM Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx> wrote: > > Network bugzilla bugs get routed to me and I forward them to the mailing list. > > Begin forwarded message: > > Date: Fri, 09 Aug 2024 07:10:04 +0000 > From: bugzilla-daemon@xxxxxxxxxx > To: stephen@xxxxxxxxxxxxxxxxxx > Subject: [Bug 219142] New: Potential Null Pointer Dereference in pair_device() in mgmt.c > > > https://bugzilla.kernel.org/show_bug.cgi?id=219142 > > Bug ID: 219142 > Summary: Potential Null Pointer Dereference in pair_device() in > mgmt.c > Product: Networking > Version: 2.5 > Hardware: All > OS: Linux > Status: NEW > Severity: normal > Priority: P3 > Component: Other > Assignee: stephen@xxxxxxxxxxxxxxxxxx > Reporter: yiweiz.evie@xxxxxxxxx > Regression: No > > The details of the bug are as follows: > > > 1. Affected Components > Function: linux/net/bluetooth/hci_core.c hci_conn_params_add > Function: linux/net/bluetooth/mgmt.c pair_device > Module: Bluetooth connection parameter management > Code: https://github.com/torvalds/linux/tree/master > > GitHub - torvalds/linux: Linux kernel source tree > Linux kernel source tree. Contribute to torvalds/linux development by creating > an account on GitHub. > github.com > > Version: the newest version v6.11-rc1 > > 2. Description > The hci_conn_params_add function is responsible for adding connection > parameters for a Bluetooth device. It first attempts to look up existing > parameters using hci_conn_params_lookup. If no existing parameters are found, > it allocates a new structure using kzalloc, which will return NULL if the > allocation fails. > However, the pair_device function, which calls hci_conn_params_add, does not > properly handle the case where hci_conn_params_add returns NULL, indicating a > failure to allocate memory. The immediate dereference of the returned pointer p > without checking for NULL can lead to a null pointer dereference, causing the > program to crash. > > 3. Technical Details > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, > bdaddr_t *addr, u8 addr_type) > { > struct hci_conn_params *params; > > params = hci_conn_params_lookup(hdev, addr, addr_type); > if (params) > return params; > > params = kzalloc(sizeof(*params), GFP_KERNEL); > if (!params) { > bt_dev_err(hdev, "out of memory"); > return NULL; // [BUG] return here > } > > bacpy(¶ms->addr, addr); > params->addr_type = addr_type; > > list_add(¶ms->list, &hdev->le_conn_params); > INIT_LIST_HEAD(¶ms->action); > > params->conn_min_interval = hdev->le_conn_min_interval; > params->conn_max_interval = hdev->le_conn_max_interval; > params->conn_latency = hdev->le_conn_latency; > params->supervision_timeout = hdev->le_supv_timeout; > params->auto_connect = HCI_AUTO_CONN_DISABLED; > > BT_DBG("addr %pMR (type %u)", addr, addr_type); > > return params; > } > > static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, > u16 len) > { > ... > p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type; // [BUG] P > is NULL > if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) // [BUG] NULL POINTER > DEREFERENCE > p->auto_connect = HCI_AUTO_CONN_DISABLED; > ... > } > > Vulnerable Code Stack: > pair_device calls hci_conn_params_add at line 3458 in > linux/net/bluetooth/mgmt.c > hci_conn_params_add is called and may return NULL if memory allocation fails at > line 2280 in linux/net/bluetooth/hci_core.c > pair_device does not check if p is NULL before accessing p->auto_connect. at > line 3460 in linux/net/bluetooth/mgmt.c > > 4. Potential Impact > Denial of Service (DoS): If the system encounters this null pointer dereference > during runtime, it could crash, leading to a denial of service. > Security Concerns: While the primary issue appears to be a potential crash, > depending on the context and how the function is used, there may be other > security implications such as unintended code execution or information leakage. > > 5. Exploitation > For an attacker to exploit this vulnerability, they would need to: > Trigger a condition where hci_conn_params_add returns NULL (such as exhausting > system memory). > Ensure that the pair_device function is subsequently called with the NULL > pointer, causing the null pointer dereference. > > 6. Mitigation and Recommendations > Null Pointer Check: Add a null pointer check after the call to > hci_conn_params_add in the pair_devicefunction. Ensure that the function > gracefully handles the NULL case, possibly by returning an error code or taking > other corrective actions. > Example: > p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type); > if (!p) { > bt_dev_err(hdev, "Failed to add connection params"); > return -ENOMEM; > } That sounds like a very trivial fix actually, not sure why the reporter didn't just send a patch. > -- > You may reply to this email to add a comment. > > You are receiving this mail because: > You are the assignee for the bug. -- Luiz Augusto von Dentz
