Bug 267396
| Summary: | le_advertizing_report() calls NG_HCI_M_PULLUP() without checking for failure | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Robert Morris <rtm> | ||||
| Component: | kern | Assignee: | Ed Maste <emaste> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | emaste | ||||
| Priority: | --- | ||||||
| Version: | CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://reviews.freebsd.org/D37228 | ||||||
| Attachments: |
|
||||||
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=05c0c99ea37f2558155f346769a00b4180cb59ed commit 05c0c99ea37f2558155f346769a00b4180cb59ed Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-11-01 13:55:22 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-11-01 18:33:37 +0000 ng_hci: handle NG_HCI_M_PULLUP failure in le_advertizing_report PR: 267396 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: takawata Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37228 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 4 ++++ 1 file changed, 4 insertions(+) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=65be931e99d4178f488b8e3066b164ad8c46fff2 commit 65be931e99d4178f488b8e3066b164ad8c46fff2 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-11-01 13:55:22 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-01-21 21:31:25 +0000 ng_hci: handle NG_HCI_M_PULLUP failure in le_advertizing_report PR: 267396 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: takawata Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37228 (cherry picked from commit 05c0c99ea37f2558155f346769a00b4180cb59ed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 4 ++++ 1 file changed, 4 insertions(+) |
Created attachment 237685 [details] cause a NULL dereference in le_advertizing_report() le_advertizing_report() calls NG_HCI_M_PULLUP() without checking for failure, and it also calls m_copydata() without first checking the length: /* Get remote unit address */ NG_HCI_M_PULLUP(event, sizeof(u_int8_t)); addr_type = *mtod(event, u_int8_t *); m_adj(event, sizeof(u_int8_t)); m_copydata(event, 0, sizeof(bdaddr), (caddr_t) &bdaddr); m_adj(event, sizeof(bdaddr)); I've attached a demo that causes a crash due to the pullup leaving event set to NULL: # cc ng36a.c -lnetgraph # ./a.out le_advertizing_report: hci0 - m_pullup(1) failed panic: Fatal page fault at 0xffffffc00040d8f0: 0x00000000000010 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x10 le_advertizing_report() at le_advertizing_report+0xcc le_event() at le_event+0x9a ng_hci_process_event() at ng_hci_process_event+0x206 ng_hci_drv_rcvdata() at ng_hci_drv_rcvdata+0xb8 ng_apply_item() at ng_apply_item+0x130 ng_snd_item() at ng_snd_item+0x1bc ngd_send() at ngd_send+0xf8 sosend_generic() at sosend_generic+0x384 sosend() at sosend+0x68 kern_sendit() at kern_sendit+0x170 sendit() at sendit+0x9c sys_sendto() at sys_sendto+0x40 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72