Linux 4.19.32

[thirdparty/kernel/stable-queue.git] / releases / 5.0.5 / bluetooth-hci_uart-check-if-socket-buffer-is-err_ptr-in-h4_recv_buf.patch

From 1dc2d785156cbdc80806c32e8d2c7c735d0b4721 Mon Sep 17 00:00:00 2001
From: Myungho Jung <mhjungk@gmail.com>
Date: Tue, 22 Jan 2019 00:33:26 -0800
Subject: Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()

From: Myungho Jung <mhjungk@gmail.com>

commit 1dc2d785156cbdc80806c32e8d2c7c735d0b4721 upstream.

h4_recv_buf() callers store the return value to socket buffer and
recursively pass the buffer to h4_recv_buf() without protection. So,
ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again
before setting the socket buffer to NULL from previous error. Check if
skb is ERR_PTR in h4_recv_buf().

Reported-by: syzbot+017a32f149406df32703@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/h4_recv.h |    4 ++++
 drivers/bluetooth/hci_h4.c  |    4 ++++
 2 files changed, 8 insertions(+)

--- a/drivers/bluetooth/h4_recv.h
+++ b/drivers/bluetooth/h4_recv.h
@@ -60,6 +60,10 @@ static inline struct sk_buff *h4_recv_bu
                                          const struct h4_recv_pkt *pkts,
                                          int pkts_count)
 {
+       /* Check for error from previous call */
+       if (IS_ERR(skb))
+               skb = NULL;
+
        while (count) {
                int i, len;
 
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_d
        struct hci_uart *hu = hci_get_drvdata(hdev);
        u8 alignment = hu->alignment ? hu->alignment : 1;
 
+       /* Check for error from previous call */
+       if (IS_ERR(skb))
+               skb = NULL;
+
        while (count) {
                int i, len;