On 8/17/21 12:01 AM, syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
net/bluetooth/hci_core.c:1346:18: error: 'HCI_MAX_TIMEOUT' undeclared (first use in this function); did you mean 'HCI_CMD_TIMEOUT'?
Tested on:
commit: a2824f19 Merge tag 'mtd/fixes-for-5.14-rc7' of git://g..
git tree: upstream
dashboard link: https://syzkaller.appspot.com/bug?extid=be2baed593ea56c6a84c
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=145874a6300000
Woooooops, I forgot to build-test after define rename.
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
With regards,
Pavel Skripkin
>From b03640e820c7cd3d577e3e472a61a9a7e64a4305 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@xxxxxxxxx>
Date: Mon, 16 Aug 2021 22:52:29 +0300
Subject: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry
/* ... */
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
include/net/bluetooth/hci_sock.h | 1 +
net/bluetooth/hci_core.c | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/include/net/bluetooth/hci_sock.h b/include/net/bluetooth/hci_sock.h
index 9949870f7d78..1cd63d4da00b 100644
--- a/include/net/bluetooth/hci_sock.h
+++ b/include/net/bluetooth/hci_sock.h
@@ -168,6 +168,7 @@ struct hci_inquiry_req {
__u16 dev_id;
__u16 flags;
__u8 lap[3];
+#define HCI_INQUIRY_MAX_TIMEOUT 30
__u8 length;
__u8 num_rsp;
};
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e1a545c8a69f..104babf67351 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1343,6 +1343,11 @@ int hci_inquiry(void __user *arg)
goto done;
}
+ if (ir.length > HCI_INQUIRY_MAX_TIMEOUT) {
+ err = -EINVAL;
+ goto done;
+ }
+
hci_dev_lock(hdev);
if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
--
2.32.0
