[Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata()

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata()"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 23 Oct 2022 17:05:15 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267294

            Bug ID: 267294
           Summary: inquiry_result() in ng_hci_event.c ought to check
                    before calling m_copydata()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237561 text/plain
         mime type:

Created attachment 237561
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237561&action=edit
trigger an m_copydata() panic in ng_hci_event.c

If a netgraph data message arriving on a bluetooth hci drv hook is short,
inquiry_result() can trigger a panic in m_copydata():

inquiry_result(ng_hci_unit_p unit, struct mbuf *event)
{
        ng_hci_inquiry_result_ep        *ep = NULL;
        ...;
        ep = mtod(event, ng_hci_inquiry_result_ep *);
        ...;
        for (; ep->num_responses > 0; ep->num_responses --) {
                m_copydata(event, 0, sizeof(bdaddr), (caddr_t) &bdaddr);

And (as noted in a comment in the code) later in this function there
are some more uses of the mbuf that are invalid if the message is too
short.

I've attached a demo:

# cc ng13a.c -lnetgraph
# ./a.out
panic: m_copydata, length > size of mbuf chain
cpuid = 2
time = 1666543254
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0049bb6910
vpanic() at vpanic+0x151/frame 0xfffffe0049bb6960
panic() at panic+0x43/frame 0xfffffe0049bb69c0
m_copydata() at m_copydata+0x1ca/frame 0xfffffe0049bb6a40
ng_hci_process_event() at ng_hci_process_event+0x923/frame 0xfffffe0049bb6a90
ng_apply_item() at ng_apply_item+0x166/frame 0xfffffe0049bb6b20
ng_snd_item() at ng_snd_item+0x2e1/frame 0xfffffe0049bb6b60
ngd_send() at ngd_send+0x10b/frame 0xfffffe0049bb6be0
sosend_generic() at sosend_generic+0x61a/frame 0xfffffe0049bb6ca0
sosend() at sosend+0x49/frame 0xfffffe0049bb6cd0
kern_sendit() at kern_sendit+0x1b3/frame 0xfffffe0049bb6d60
sendit() at sendit+0xba/frame 0xfffffe0049bb6db0
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe0049bb6e00
amd64_syscall() at amd64_syscall+0x12e/frame 0xfffffe0049bb6f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0049bb6f30
--- syscall (133, FreeBSD ELF64, sys_sendto), rip = 0x8229075ca, rsp =
0x820a21068, rbp = 0x820a210d0 ---

FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa974717a:
Thu Sep 15 20:02:51 AST 2022    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.