Commit 4e0ca4bf authored Jan 22, 2019 by Myungho Jung Committed by Greg Kroah-Hartman Mar 27, 2019

Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()



commit 1dc2d785156cbdc80806c32e8d2c7c735d0b4721 upstream.

h4_recv_buf() callers store the return value to socket buffer and
recursively pass the buffer to h4_recv_buf() without protection. So,
ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again
before setting the socket buffer to NULL from previous error. Check if
skb is ERR_PTR in h4_recv_buf().

Reported-by:  <syzbot+017a32f149406df32703@syzkaller.appspotmail.com>
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 6bef442e

drivers/bluetooth/h4_recv.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -60,6 +60,10 @@ static inline struct sk_buff h4_recv_buf(struct hci_dev hdev,
		const struct h4_recv_pkt *pkts,
		int pkts_count)
		{
		/* Check for error from previous call */
		if (IS_ERR(skb))
		skb = NULL;

		while (count) {
		int i, len;

drivers/bluetooth/hci_h4.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -174,6 +174,10 @@ struct sk_buff h4_recv_buf(struct hci_dev hdev, struct sk_buff *skb,
		struct hci_uart *hu = hci_get_drvdata(hdev);
		u8 alignment = hu->alignment ? hu->alignment : 1;

		/* Check for error from previous call */
		if (IS_ERR(skb))
		skb = NULL;

		while (count) {
		int i, len;