[Bug 283693] OOB read during HCI event mask filtering

Sat, 28 Dec 2024 08:08:47 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283693

            Bug ID: 283693
           Summary: OOB read during HCI event mask filtering
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: b...@freebsd.org
          Reporter: zy...@cl.cam.ac.uk

- Overview:
During raw HCI packet filtering, ng_btsocket_hci_raw_filter incorrectly filters
packets due to an out-of-bounds read.


- Root cause:
In ng_btsocket_hci_raw_filter, if the HCI event code is greater than
NG_HCI_EVENT_MASK_SIZE * 8, where NG_HCI_EVENT_MASK_SIZE is 8, then an integer
overflow happens in bit_test. This is due to an incorrect declaration of
bitstrings in the ng_btsocket_hci_raw_filter struct. Valid event codes range
from 0x01 to 0xff, whereas the bitstring declaration specifies
NG_HCI_EVENT_MASK_SIZE * 8 = 64. The specific line of code is in:
https://github.com/freebsd/freebsd-src/blob/837feb4d05c2dccafa1698649b58f7b7fdc59c54/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c#L715:

if (!bit_test(pcb->filter.event_mask, event))

This crash was found when working with a CheriBSD purecap kernel, where the
issue causes a kernel panic instead of a silent OOB.

- Fix:
The bitstring declaration can be fixed as suggested in the diff below. Also,
the bitstring declaration of packet_mask in ng_btsocket_hci_raw_filter struct
specifies 32, but valid packet types range from 0x1 to 0x4. Therefore, a
bitstring declaration of 8 bits is enough.

diff --git a/sys/netgraph/bluetooth/include/ng_btsocket.h
b/sys/netgraph/bluetooth/include/ng_btsocket.h
index 2dc15d44e72..8ccfad2d808 100644
--- a/sys/netgraph/bluetooth/include/ng_btsocket.h
+++ b/sys/netgraph/bluetooth/include/ng_btsocket.h
@@ -69,8 +69,8 @@ struct sockaddr_hci {
  */

 struct ng_btsocket_hci_raw_filter {
-       bitstr_t        bit_decl(packet_mask, 32);
-       bitstr_t        bit_decl(event_mask, (NG_HCI_EVENT_MASK_SIZE * 8));
+       bitstr_t        bit_decl(packet_mask, 8);
+       bitstr_t        bit_decl(event_mask, 256);
 };

 /*

- Kernel commit and config:
This is reproducible as of the latest commit on 27th December 2024 in a GENERIC
kernel, with enabled Bluetooth.

- Credits:
Yichen Chai <yichen.c...@gmail.com>
Zhuo Ying Jiang Li <zy...@cl.cam.ac.uk>

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to