[BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c

Message ID	20220401074640.3956695-5-i.kamaletdinov@omp.ru (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Ildar Kamaletdinov <i.kamaletdinov@omp.ru> To: <linux-bluetooth@vger.kernel.org> CC: Ildar Kamaletdinov <i.kamaletdinov@omp.ru> Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c Date: Fri, 1 Apr 2022 10:46:37 +0300 Message-ID: <20220401074640.3956695-5-i.kamaletdinov@omp.ru> In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	Fix bugs found by SVACE static analisys tool \| expand [BlueZ,0/7] Fix bugs found by SVACE static analisys tool [BlueZ,1/7] monitor: Fix out-of-bound read in print_le_states [BlueZ,2/7] tools: Fix buffer overflow in hciattach_tialt.c [BlueZ,3/7] tools: Fix signed interger overflow in btsnoop.c [BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c [BlueZ,5/7] tools: Limit width of fields in sscanf [BlueZ,6/7] device: Limit width of fields in sscanf [BlueZ,7/7] gatt: Fix double free and freed memory dereference

Message ID

20220401074640.3956695-5-i.kamaletdinov@omp.ru (mailing list archive)

State

Superseded

Headers

From: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To: <linux-bluetooth@vger.kernel.org>
CC: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c
Date: Fri, 1 Apr 2022 10:46:37 +0300
Message-ID: <20220401074640.3956695-5-i.kamaletdinov@omp.ru>
In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

Fix bugs found by SVACE static analisys tool | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/checkpatch	warning	[BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c WARNING:TYPO_SPELLING: 'standart' may be misspelled - perhaps 'standard'? #50: According to C99 standart SIZE_MAX could be as small as 65535. ^^^^^^^^ /github/workspace/src/12797975.patch total: 0 errors, 1 warnings, 25 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/12797975.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/gitlint	success	Gitlint PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/checkpatch

warning

[BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c WARNING:TYPO_SPELLING: 'standart' may be misspelled - perhaps 'standard'? #50: According to C99 standart SIZE_MAX could be as small as 65535. ^^^^^^^^ /github/workspace/src/12797975.patch total: 0 errors, 1 warnings, 25 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/12797975.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/gitlint

success

Gitlint PASS

Commit Message

Ildar Kamaletdinov April 1, 2022, 7:46 a.m. UTC

In case FW size is too big we can face with infinity while() loops.
According to C99 standart SIZE_MAX could be as small as 65535.

So to prevent overflow of 'firmware_offset' we must limit maximum FW
size that could be processed by bluemoon.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/bluemoon.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/bluemoon.c b/tools/bluemoon.c
index f50107a2a..729da36f6 100644
--- a/tools/bluemoon.c
+++ b/tools/bluemoon.c
@@ -492,6 +492,13 @@  static void request_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 4)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		shutdown_device();
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
@@ -874,6 +881,12 @@  static void analyze_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 3)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");

[BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c

Checks

Commit Message

Patch