From patchwork Thu Oct 22 15:48:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: William Breathitt Gray X-Patchwork-Id: 1386311 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CHBbw28wmz9sSW; Fri, 23 Oct 2020 02:48:44 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kVcpU-0000EJ-Mm; Thu, 22 Oct 2020 15:48:40 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kVcpS-0000Dc-Vd for kernel-team@lists.ubuntu.com; Thu, 22 Oct 2020 15:48:38 +0000 Received: from mail-qv1-f69.google.com ([209.85.219.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kVcpS-0003Ha-LX for kernel-team@lists.ubuntu.com; Thu, 22 Oct 2020 15:48:38 +0000 Received: by mail-qv1-f69.google.com with SMTP id z9so1277413qvo.20 for ; Thu, 22 Oct 2020 08:48:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QyRHn5MuUoOtuvD1hOpTUCNfNr+J04s1onSontCRxM0=; b=KzflOQFpv8hWDKe1y6+5zEaQBNn7pf89Uh8CLRbTA5wgzpZLHJoXZz8g3az05HvKrl 8JIACmHQL187Yf/u64JVHWn/9vbZeZiFIm8qaAAjFQNqakg7Ho3injTs0pmUn2PqM7Sl TOwbyY37RRd85n+OD8d7NCGczDJrqr189dri/dsFThnbsGYFZhlyZFTPXEokET1aCK2o N3ZM0jH6I0IaCAgg8ny3/ZGq0fkdQmcrIP6A3oJGVBJkC1V9amX5cOdJsk3MYxFin/6O KLtoN56fMPZXGuUVaQmurTBnqijy7qtBiGOgGSLoitSlOBSzOy+l9XcaK1P80ilCbuNz gi0g== X-Gm-Message-State: AOAM531ShA+EaID8IzjgpAFayNNqEen2dPgvu+biDqGsx762JtlPaMtq GSK0xU8tOcaDekswW+Q7P7aSK5ALE8SqjaDt5F4T0zQ7Xjm6yQuUMQSACeHTWrV5G5cogyJWu4e rTWaH/7MrNY19Rz60EEfn5sk2cNML0BNdVpNgbthhVQ== X-Received: by 2002:aed:3264:: with SMTP id y91mr2691209qtd.100.1603381717317; Thu, 22 Oct 2020 08:48:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkUe8xKxFkPWetWu0T0+PrEhnet6aLzJv8NII+gkv6Uq1y1fP701uTWZt1D6VfFmjSI4xYgQ== X-Received: by 2002:aed:3264:: with SMTP id y91mr2691192qtd.100.1603381717072; Thu, 22 Oct 2020 08:48:37 -0700 (PDT) Received: from localhost.localdomain (072-189-064-225.res.spectrum.com. [72.189.64.225]) by smtp.gmail.com with ESMTPSA id z190sm1228796qka.103.2020.10.22.08.48.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Oct 2020 08:48:36 -0700 (PDT) From: William Breathitt Gray To: kernel-team@lists.ubuntu.com Subject: [SRU][X][CVE-2020-12352][PATCH v2 1/1] Bluetooth: A2MP: Fix not initializing all members Date: Thu, 22 Oct 2020 11:48:32 -0400 Message-Id: <20201022154832.37013-2-william.gray@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201022154832.37013-1-william.gray@canonical.com> References: <20201022154832.37013-1-william.gray@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Luiz Augusto von Dentz This fixes various places where a stack variable is used uninitialized. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann CVE-2020-12352 (cherry picked from commit eddb7732119d53400f48a02536a84c509692faa8) Signed-off-by: William Breathitt Gray Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- net/bluetooth/a2mp.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c index 5f123c3320a7..8f918155685d 100644 --- a/net/bluetooth/a2mp.c +++ b/net/bluetooth/a2mp.c @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_info_req req; found = true; + + memset(&req, 0, sizeof(req)); + req.id = cl->id; a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), sizeof(req), &req); @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, if (!hdev || hdev->dev_type != HCI_AMP) { struct a2mp_info_rsp rsp; + memset(&rsp, 0, sizeof(rsp)); + rsp.id = req->id; rsp.status = A2MP_STATUS_INVALID_CTRL_ID; @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, if (!ctrl) return -ENOMEM; + memset(&req, 0, sizeof(req)); + req.id = rsp->id; a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), &req); @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_amp_assoc_rsp rsp; rsp.id = req->id; + memset(&rsp, 0, sizeof(rsp)); + if (tmp) { rsp.status = A2MP_STATUS_COLLISION_OCCURED; amp_mgr_put(tmp); @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, struct a2mp_cmd *hdr) { struct a2mp_physlink_req *req = (void *) skb->data; - struct a2mp_physlink_rsp rsp; struct hci_dev *hdev; struct hci_conn *hcon; @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); + memset(&rsp, 0, sizeof(rsp)); + rsp.local_id = req->remote_id; rsp.remote_id = req->local_id; @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); + memset(&rsp, 0, sizeof(rsp)); + rsp.local_id = req->remote_id; rsp.remote_id = req->local_id; rsp.status = A2MP_STATUS_SUCCESS; @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) if (err) { struct a2mp_cmd_rej rej; + memset(&rej, 0, sizeof(rej)); + rej.reason = cpu_to_le16(0); hdr = (void *) skb->data; @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) BT_DBG("%s mgr %p", hdev->name, mgr); + memset(&rsp, 0, sizeof(rsp)); + rsp.id = hdev->id; rsp.status = A2MP_STATUS_INVALID_CTRL_ID; @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) if (!mgr) return; + memset(&rsp, 0, sizeof(rsp)); + hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); if (!hs_hcon) { rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) mgr->bredr_chan = chan; + memset(&req, 0, sizeof(req)); + req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); req.ext_feat = 0; a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req);