CVE-2023-53057

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: HCI: Fix global-out-of-bounds

To loop a variable-length array, hciinitstagesync(stage) considers that stage[i] is valid as long as stage[i-1].func is valid. Thus, the last element of stage[].func should be intentionally invalid as hciinit0[], leinit2[], and others did. However, ampinit1[] and ampinit2[] have no invalid element, letting hciinitstagesync() keep accessing ampinit1[] over its valid range. This patch fixes this by adding {} in the last of ampinit1[] and amp_init2[].

================================================================== BUG: KASAN: global-out-of-bounds in hcidevopensync ( /v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032 CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04 Workqueue: hci1 hcipoweron Call Trace: <TASK> dumpstacklvl (/v6.2-bzimage/lib/dumpstack.c:107 (discriminator 1)) printreport (/v6.2-bzimage/mm/kasan/report.c:307 /v6.2-bzimage/mm/kasan/report.c:417) ? hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) kasanreport (/v6.2-bzimage/mm/kasan/report.c:184 /v6.2-bzimage/mm/kasan/report.c:519) ? hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) hcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:3154 /v6.2-bzimage/net/bluetooth/hcisync.c:3343 /v6.2-bzimage/net/bluetooth/hcisync.c:4418 /v6.2-bzimage/net/bluetooth/hcisync.c:4609 /v6.2-bzimage/net/bluetooth/hcisync.c:4689) ? _pfxhcidevopensync (/v6.2-bzimage/net/bluetooth/hcisync.c:4635) ? mutexlock (/v6.2-bzimage/./arch/x86/include/asm/atomic6464.h:190 /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443 /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781 /v6.2-bzimage/kernel/locking/mutex.c:171 /v6.2-bzimage/kernel/locking/mutex.c:285) ? _pfxmutexlock (/v6.2-bzimage/kernel/locking/mutex.c:282) hcipoweron (/v6.2-bzimage/net/bluetooth/hcicore.c:485 /v6.2-bzimage/net/bluetooth/hcicore.c:984) ? _pfxhcipoweron (/v6.2-bzimage/net/bluetooth/hcicore.c:969) ? readwordatatime (/v6.2-bzimage/./include/asm-generic/rwonce.h:85) ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62 /v6.2-bzimage/lib/string.c:161) processonework (/v6.2-bzimage/kernel/workqueue.c:2294) workerthread (/v6.2-bzimage/./include/linux/list.h:292 /v6.2-bzimage/kernel/workqueue.c:2437) ? _pfxworkerthread (/v6.2-bzimage/kernel/workqueue.c:2379) kthread (/v6.2-bzimage/kernel/kthread.c:376) ? _pfxkthread (/v6.2-bzimage/kernel/kthread.c:331) retfromfork (/v6.2-bzimage/arch/x86/entry/entry64.S:314) </TASK> The buggy address belongs to the variable: amp_init1+0x30/0x60 The buggy address belongs to the physical page: page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00

ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9

---truncated---