Date: Mon, 24 Oct 2022 21:41:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267317] encryption_change() in ng_hci_evnt.c can dereference NULL pointer Message-ID: <bug-267317-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267317 Bug ID: 267317 Summary: encryption_change() in ng_hci_evnt.c can dereference NULL pointer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #237589 text/plain mime type: Created attachment 237589 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237589&action= =3Dedit Cause encryption_change() to dereference a NULL pointer. An encryption change event packet arriving on a bluetooth hci drv hook that refers to a non-existant connection can cause con in this code to be NULL but be dereferenced: static int encryption_change(ng_hci_unit_p unit, struct mbuf *event) { ...; ep =3D mtod(event, ng_hci_encryption_change_ep *); h =3D NG_HCI_CON_HANDLE(le16toh(ep->con_handle)); con =3D ng_hci_con_by_handle(unit, h); ...; ng_hci_lp_enc_change(con, con->encryption_mode); I've attached a demo that sends a message with con_handle=3D65535: # cc ng13b.c -lnetgraph # ./a.out encryption_change: - failed to change encryption mode, status=3D255 panic: Fatal page fault at 0xffffffc00040c630: 0x00000000000015 cpuid =3D 0 time =3D 1666544229 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x170 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval =3D 0x15 encryption_change() at encryption_change+0x84 ng_hci_process_event() at ng_hci_process_event+0x118 ng_hci_drv_rcvdata() at ng_hci_drv_rcvdata+0xb8 ng_apply_item() at ng_apply_item+0x130 ng_snd_item() at ng_snd_item+0x1bc ngd_send() at ngd_send+0xf8 sosend_generic() at sosend_generic+0x384 sosend() at sosend+0x68 kern_sendit() at kern_sendit+0x170 sendit() at sendit+0x9c sys_sendto() at sys_sendto+0x40 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (133, FreeBSD ELF64, sys_sendto) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267317-227>