[Bug 267317] encryption_change() in ng_hci_evnt.c can dereference NULL pointer

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267317] encryption_change() in ng_hci_evnt.c can dereference NULL pointer"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267317] encryption_change() in ng_hci_evnt.c can dereference NULL pointer"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267317] encryption_change() in ng_hci_evnt.c can dereference NULL pointer"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 24 Oct 2022 21:41:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267317

            Bug ID: 267317
           Summary: encryption_change() in ng_hci_evnt.c can dereference
                    NULL pointer
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237589 text/plain
         mime type:

Created attachment 237589
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237589&action=edit
Cause encryption_change() to dereference a NULL pointer.

An encryption change event packet arriving on a bluetooth hci drv hook
that refers to a non-existant connection can cause con in this code to
be NULL but be dereferenced:

static int
encryption_change(ng_hci_unit_p unit, struct mbuf *event)
{
        ...;
        ep = mtod(event, ng_hci_encryption_change_ep *);
        h = NG_HCI_CON_HANDLE(le16toh(ep->con_handle));
        con = ng_hci_con_by_handle(unit, h);
        ...;
        ng_hci_lp_enc_change(con, con->encryption_mode);

I've attached a demo that sends a message with con_handle=65535:

# cc ng13b.c -lnetgraph
# ./a.out
encryption_change:  - failed to change encryption mode, status=255
panic: Fatal page fault at 0xffffffc00040c630: 0x00000000000015
cpuid = 0
time = 1666544229
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x170
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x15
encryption_change() at encryption_change+0x84
ng_hci_process_event() at ng_hci_process_event+0x118
ng_hci_drv_rcvdata() at ng_hci_drv_rcvdata+0xb8
ng_apply_item() at ng_apply_item+0x130
ng_snd_item() at ng_snd_item+0x1bc
ngd_send() at ngd_send+0xf8
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

-- 
You are receiving this mail because:
You are the assignee for the bug.