KASAN: slab-out-of-bounds Read in hci_extended_inquiry_result_evt

Bug impact analysis:

bacpy is calling memcpy, the UAF read happens there.

for (; num_rsp; num_rsp--, info++) {

u32 flags;

bool name_known;

bacpy(&data.bdaddr, &info->bdaddr); //info was freed, here comes the UAF read and arbitrary value write

data.pscan_rep_mode = info->pscan_rep_mode; //Arbitrary value write

data.pscan_period_mode = info->pscan_period_mode; //Arbitrary value write

data.pscan_mode = 0x00;

memcpy(data.dev_class, info->dev_class, 3); //Arbitrary value write

data.clock_offset = info->clock_offset; //Arbitrary value write

data.rssi = info->rssi; //Arbitrary value write

data.ssp_mode = 0x01;

Then we have tons of arbitrary value write because info was freed

Trace in high level:

|check_memory_region mm/kasan/generic.c:186

|memcpy mm/kasan/common.c:105(Triggered the OOB read bug)

|hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4398

|hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4403(Triggered a new bug: Arbitrary value write)

Trace in detail:

0xffffffff84e2972b

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4398(Triggered the OOB read bug)

--------------------------------------

0xffffffff84e29734

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4398

--------------------------------------

0xffffffff84e29746

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4399

--------------------------------------

0xffffffff84e29770

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4402

--------------------------------------

0xffffffff84e2977e

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4402

--------------------------------------

0xffffffff84e29790

hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4403(Triggered a new bug: Arbitrary value write)

--------------------------------------

Total 15 basic block