| Message ID | 20201022154832.37013-2-william.gray@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Stack-Based Information Leak in A2MP (BleedingTooth) | expand |
On 22.10.20 17:48, William Breathitt Gray wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This fixes various places where a stack variable is used uninitialized. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > > CVE-2020-12352 > > (cherry picked from commit eddb7732119d53400f48a02536a84c509692faa8) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/bluetooth/a2mp.c | 22 +++++++++++++++++++++- > 1 file changed, 21 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c > index 5f123c3320a7..8f918155685d 100644 > --- a/net/bluetooth/a2mp.c > +++ b/net/bluetooth/a2mp.c > @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_info_req req; > > found = true; > + > + memset(&req, 0, sizeof(req)); > + > req.id = cl->id; > a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), > sizeof(req), &req); > @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, > if (!hdev || hdev->dev_type != HCI_AMP) { > struct a2mp_info_rsp rsp; > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = req->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > if (!ctrl) > return -ENOMEM; > > + memset(&req, 0, sizeof(req)); > + > req.id = rsp->id; > a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), > &req); > @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_amp_assoc_rsp rsp; > rsp.id = req->id; > > + memset(&rsp, 0, sizeof(rsp)); > + > if (tmp) { > rsp.status = A2MP_STATUS_COLLISION_OCCURED; > amp_mgr_put(tmp); > @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_cmd *hdr) > { > struct a2mp_physlink_req *req = (void *) skb->data; > - > struct a2mp_physlink_rsp rsp; > struct hci_dev *hdev; > struct hci_conn *hcon; > @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > > @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > rsp.status = A2MP_STATUS_SUCCESS; > @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) > if (err) { > struct a2mp_cmd_rej rej; > > + memset(&rej, 0, sizeof(rej)); > + > rej.reason = cpu_to_le16(0); > hdr = (void *) skb->data; > > @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) > > BT_DBG("%s mgr %p", hdev->name, mgr); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = hdev->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) > if (!mgr) > return; > > + memset(&rsp, 0, sizeof(rsp)); > + > hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); > if (!hs_hcon) { > rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; > @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) > > mgr->bredr_chan = chan; > > + memset(&req, 0, sizeof(req)); > + > req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); > req.ext_feat = 0; > a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); >
On 22.10.20 17:48, William Breathitt Gray wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This fixes various places where a stack variable is used uninitialized. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > > CVE-2020-12352 > > (cherry picked from commit eddb7732119d53400f48a02536a84c509692faa8) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/bluetooth/a2mp.c | 22 +++++++++++++++++++++- > 1 file changed, 21 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c > index 5f123c3320a7..8f918155685d 100644 > --- a/net/bluetooth/a2mp.c > +++ b/net/bluetooth/a2mp.c > @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_info_req req; > > found = true; > + > + memset(&req, 0, sizeof(req)); > + > req.id = cl->id; > a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), > sizeof(req), &req); > @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, > if (!hdev || hdev->dev_type != HCI_AMP) { > struct a2mp_info_rsp rsp; > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = req->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > if (!ctrl) > return -ENOMEM; > > + memset(&req, 0, sizeof(req)); > + > req.id = rsp->id; > a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), > &req); > @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_amp_assoc_rsp rsp; > rsp.id = req->id; > > + memset(&rsp, 0, sizeof(rsp)); > + > if (tmp) { > rsp.status = A2MP_STATUS_COLLISION_OCCURED; > amp_mgr_put(tmp); > @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_cmd *hdr) > { > struct a2mp_physlink_req *req = (void *) skb->data; > - > struct a2mp_physlink_rsp rsp; > struct hci_dev *hdev; > struct hci_conn *hcon; > @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > > @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > rsp.status = A2MP_STATUS_SUCCESS; > @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) > if (err) { > struct a2mp_cmd_rej rej; > > + memset(&rej, 0, sizeof(rej)); > + > rej.reason = cpu_to_le16(0); > hdr = (void *) skb->data; > > @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) > > BT_DBG("%s mgr %p", hdev->name, mgr); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = hdev->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) > if (!mgr) > return; > > + memset(&rsp, 0, sizeof(rsp)); > + > hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); > if (!hs_hcon) { > rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; > @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) > > mgr->bredr_chan = chan; > > + memset(&req, 0, sizeof(req)); > + > req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); > req.ext_feat = 0; > a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); >
On 22.10.20 17:48, William Breathitt Gray wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This fixes various places where a stack variable is used uninitialized. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > > CVE-2020-12352 > > (cherry picked from commit eddb7732119d53400f48a02536a84c509692faa8) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > --- Applied to xenial/master-next. Thanks. -Stefan > net/bluetooth/a2mp.c | 22 +++++++++++++++++++++- > 1 file changed, 21 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c > index 5f123c3320a7..8f918155685d 100644 > --- a/net/bluetooth/a2mp.c > +++ b/net/bluetooth/a2mp.c > @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_info_req req; > > found = true; > + > + memset(&req, 0, sizeof(req)); > + > req.id = cl->id; > a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), > sizeof(req), &req); > @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, > if (!hdev || hdev->dev_type != HCI_AMP) { > struct a2mp_info_rsp rsp; > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = req->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, > if (!ctrl) > return -ENOMEM; > > + memset(&req, 0, sizeof(req)); > + > req.id = rsp->id; > a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), > &req); > @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_amp_assoc_rsp rsp; > rsp.id = req->id; > > + memset(&rsp, 0, sizeof(rsp)); > + > if (tmp) { > rsp.status = A2MP_STATUS_COLLISION_OCCURED; > amp_mgr_put(tmp); > @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > struct a2mp_cmd *hdr) > { > struct a2mp_physlink_req *req = (void *) skb->data; > - > struct a2mp_physlink_rsp rsp; > struct hci_dev *hdev; > struct hci_conn *hcon; > @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > > @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, > > BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.local_id = req->remote_id; > rsp.remote_id = req->local_id; > rsp.status = A2MP_STATUS_SUCCESS; > @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) > if (err) { > struct a2mp_cmd_rej rej; > > + memset(&rej, 0, sizeof(rej)); > + > rej.reason = cpu_to_le16(0); > hdr = (void *) skb->data; > > @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) > > BT_DBG("%s mgr %p", hdev->name, mgr); > > + memset(&rsp, 0, sizeof(rsp)); > + > rsp.id = hdev->id; > rsp.status = A2MP_STATUS_INVALID_CTRL_ID; > > @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) > if (!mgr) > return; > > + memset(&rsp, 0, sizeof(rsp)); > + > hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); > if (!hs_hcon) { > rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; > @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) > > mgr->bredr_chan = chan; > > + memset(&req, 0, sizeof(req)); > + > req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); > req.ext_feat = 0; > a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); >
diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c index 5f123c3320a7..8f918155685d 100644 --- a/net/bluetooth/a2mp.c +++ b/net/bluetooth/a2mp.c @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_info_req req; found = true; + + memset(&req, 0, sizeof(req)); + req.id = cl->id; a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), sizeof(req), &req); @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, if (!hdev || hdev->dev_type != HCI_AMP) { struct a2mp_info_rsp rsp; + memset(&rsp, 0, sizeof(rsp)); + rsp.id = req->id; rsp.status = A2MP_STATUS_INVALID_CTRL_ID; @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, if (!ctrl) return -ENOMEM; + memset(&req, 0, sizeof(req)); + req.id = rsp->id; a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), &req); @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_amp_assoc_rsp rsp; rsp.id = req->id; + memset(&rsp, 0, sizeof(rsp)); + if (tmp) { rsp.status = A2MP_STATUS_COLLISION_OCCURED; amp_mgr_put(tmp); @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_cmd *hdr) { struct a2mp_physlink_req *req = (void *) skb->data; - struct a2mp_physlink_rsp rsp; struct hci_dev *hdev; struct hci_conn *hcon; @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); + memset(&rsp, 0, sizeof(rsp)); + rsp.local_id = req->remote_id; rsp.remote_id = req->local_id; @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); + memset(&rsp, 0, sizeof(rsp)); + rsp.local_id = req->remote_id; rsp.remote_id = req->local_id; rsp.status = A2MP_STATUS_SUCCESS; @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) if (err) { struct a2mp_cmd_rej rej; + memset(&rej, 0, sizeof(rej)); + rej.reason = cpu_to_le16(0); hdr = (void *) skb->data; @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) BT_DBG("%s mgr %p", hdev->name, mgr); + memset(&rsp, 0, sizeof(rsp)); + rsp.id = hdev->id; rsp.status = A2MP_STATUS_INVALID_CTRL_ID; @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) if (!mgr) return; + memset(&rsp, 0, sizeof(rsp)); + hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); if (!hs_hcon) { rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) mgr->bredr_chan = chan; + memset(&req, 0, sizeof(req)); + req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); req.ext_feat = 0; a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req);