Merge: Bluetooth: btrtl: fix out of bounds memory access

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/4137

From: Bastien Nocera <bnocera@redhat.com>

Subject: Bluetooth: btrtl: fix out of bounds memory access

JIRA: https://issues.redhat.com/browse/RHEL-33202
JIRA: https://issues.redhat.com/browse/RHEL-33203
CVE: CVE-2024-26890

commit de4e88e
Author: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Date:   Sat Feb 24 00:37:04 2024 +0300

    Bluetooth: btrtl: fix out of bounds memory access
    
    The problem is detected by KASAN.
    btrtl driver uses private hci data to store 'struct btrealtek_data'.
    If btrtl driver is used with btusb, then memory for private hci data
    is allocated in btusb. But no private data is allocated after hci_dev,
    when btrtl is used with hci_h5.
    
    This commit adds memory allocation for hci_h5 case.
    
     ==================================================================
     BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl]
     Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76
    
     Hardware name: Pine64 PinePhone (1.2) (DT)
     Workqueue: hci0 hci_power_on [bluetooth]
     Call trace:
      dump_backtrace+0x9c/0x128
      show_stack+0x20/0x38
      dump_stack_lvl+0x48/0x60
      print_report+0xf8/0x5d8
      kasan_report+0x90/0xd0
      __asan_store8+0x9c/0xc0
             [btrtl]
      h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
      h5_setup+0x50/0x80 [hci_uart]
      hci_uart_setup+0xd4/0x260 [hci_uart]
      hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
      hci_dev_do_open+0x34/0x90 [bluetooth]
      hci_power_on+0xc4/0x3c8 [bluetooth]
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Allocated by task 53:
      kasan_save_stack+0x3c/0x68
      kasan_save_track+0x20/0x40
      kasan_save_alloc_info+0x68/0x78
      __kasan_kmalloc+0xd4/0xd8
      __kmalloc+0x1b4/0x3b0
      hci_alloc_dev_priv+0x28/0xa58 [bluetooth]
      hci_uart_register_device+0x118/0x4f8 [hci_uart]
      h5_serdev_probe+0xf4/0x178 [hci_uart]
      serdev_drv_probe+0x54/0xa0
      really_probe+0x254/0x588
      __driver_probe_device+0xc4/0x210
      driver_probe_device+0x64/0x160
      __driver_attach_async_helper+0x88/0x158
      async_run_entry_fn+0xd0/0x388
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Last potentially related work creation:
      kasan_save_stack+0x3c/0x68
      __kasan_record_aux_stack+0xb0/0x150
      kasan_record_aux_stack_noalloc+0x14/0x20
      __queue_work+0x33c/0x960
      queue_work_on+0x98/0xc0
      hci_recv_frame+0xc8/0x1e8 [bluetooth]
      h5_complete_rx_pkt+0x2c8/0x800 [hci_uart]
      h5_rx_payload+0x98/0xb8 [hci_uart]
      h5_recv+0x158/0x3d8 [hci_uart]
      hci_uart_receive_buf+0xa0/0xe8 [hci_uart]
      ttyport_receive_buf+0xac/0x178
      flush_to_ldisc+0x130/0x2c8
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Second to last potentially related work creation:
      kasan_save_stack+0x3c/0x68
      __kasan_record_aux_stack+0xb0/0x150
      kasan_record_aux_stack_noalloc+0x14/0x20
      __queue_work+0x788/0x960
      queue_work_on+0x98/0xc0
      __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth]
      __hci_cmd_sync+0x24/0x38 [bluetooth]
      btrtl_initialize+0x760/0x958 [btrtl]
      h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
      h5_setup+0x50/0x80 [hci_uart]
      hci_uart_setup+0xd4/0x260 [hci_uart]
      hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
      hci_dev_do_open+0x34/0x90 [bluetooth]
      hci_power_on+0xc4/0x3c8 [bluetooth]
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
     ==================================================================
    
    Fixes: 5b35594 ("Bluetooth: btrtl: Add btrealtek data struct")
    Fixes: 044014c ("Bluetooth: btrtl: Add Realtek devcoredump support")
    Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Signed-off-by: Bastien Nocera <bnocera@redhat.com>

Approved-by: José Ignacio Tornos Martínez <jtornosm@redhat.com>
Approved-by: Desnes Nunes <desnesn@redhat.com>
Approved-by: David Marlin <dmarlin@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Lucas Zampieri <lzampier@redhat.com>

Author: zampierilucas

drivers/bluetooth/hci_h5.c

@@ -113,6 +113,7 @@ struct h5_vnd {
 	int (*suspend)(struct h5 *h5);
 	int (*resume)(struct h5 *h5);
 	const struct acpi_gpio_mapping *acpi_gpio_map;
+	int sizeof_priv;
 };
 
 struct h5_device_data {
@@ -863,7 +864,8 @@ static int h5_serdev_probe(struct serdev_device *serdev)
 	if (IS_ERR(h5->device_wake_gpio))
 		return PTR_ERR(h5->device_wake_gpio);
 
-	return hci_uart_register_device(&h5->serdev_hu, &h5p);
+	return hci_uart_register_device_priv(&h5->serdev_hu, &h5p,
+					     h5->vnd->sizeof_priv);
 }
 
 static void h5_serdev_remove(struct serdev_device *serdev)
@@ -1070,6 +1072,7 @@ static struct h5_vnd rtl_vnd = {
 	.suspend	= h5_btrtl_suspend,
 	.resume		= h5_btrtl_resume,
 	.acpi_gpio_map	= acpi_btrtl_gpios,
+	.sizeof_priv    = sizeof(struct btrealtek_data),
 };
 
 static const struct h5_device_data h5_data_rtl8822cs = {

drivers/bluetooth/hci_serdev.c

@@ -300,8 +300,9 @@ static const struct serdev_device_ops hci_serdev_client_ops = {
 	.write_wakeup = hci_uart_write_wakeup,
 };
 
-int hci_uart_register_device(struct hci_uart *hu,
-			     const struct hci_uart_proto *p)
+int hci_uart_register_device_priv(struct hci_uart *hu,
+			     const struct hci_uart_proto *p,
+			     int sizeof_priv)
 {
 	int err;
 	struct hci_dev *hdev;
@@ -325,7 +326,7 @@ int hci_uart_register_device(struct hci_uart *hu,
 	set_bit(HCI_UART_PROTO_READY, &hu->flags);
 
 	/* Initialize and register HCI device */
-	hdev = hci_alloc_dev();
+	hdev = hci_alloc_dev_priv(sizeof_priv);
 	if (!hdev) {
 		BT_ERR("Can't allocate HCI device");
 		err = -ENOMEM;
@@ -394,7 +395,7 @@ int hci_uart_register_device(struct hci_uart *hu,
 	percpu_free_rwsem(&hu->proto_lock);
 	return err;
 }
-EXPORT_SYMBOL_GPL(hci_uart_register_device);
+EXPORT_SYMBOL_GPL(hci_uart_register_device_priv);
 
 void hci_uart_unregister_device(struct hci_uart *hu)
 {

drivers/bluetooth/hci_uart.h

@@ -97,7 +97,17 @@ struct hci_uart {
 
 int hci_uart_register_proto(const struct hci_uart_proto *p);
 int hci_uart_unregister_proto(const struct hci_uart_proto *p);
-int hci_uart_register_device(struct hci_uart *hu, const struct hci_uart_proto *p);
+
+int hci_uart_register_device_priv(struct hci_uart *hu,
+				  const struct hci_uart_proto *p,
+				  int sizeof_priv);
+
+static inline int hci_uart_register_device(struct hci_uart *hu,
+					   const struct hci_uart_proto *p)
+{
+	return hci_uart_register_device_priv(hu, p, 0);
+}
+
 void hci_uart_unregister_device(struct hci_uart *hu);
 
 int hci_uart_tx_wakeup(struct hci_uart *hu);