[BlueZ,02/15] shared/ecc: Fix uninitialised variable usage

Message ID	20240516090340.61417-3-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	0a1159dc105533e3f07cd252d1fd271967d8f4d6
Headers	show Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 329AF142E98 for <linux-bluetooth@vger.kernel.org>; Thu, 16 May 2024 09:03:47 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 02/15] shared/ecc: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:06 +0200 Message-ID: <20240516090340.61417-3-hadess@hadess.net> In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #2 \| expand [BlueZ,00/15] Fix a number of static analysis issues #2 [BlueZ,01/15] main: Simplify variable assignment [BlueZ,02/15] shared/ecc: Fix uninitialised variable usage [BlueZ,03/15] shared/gatt-client: Fix uninitialised variable usage [BlueZ,04/15] tools/mesh-cfgclient: Fix uninitialised variable usage [BlueZ,05/15] test-runner: Remove unused envp [BlueZ,06/15] test-runner: Fix uninitialised variable usage [BlueZ,07/15] test-runner: Fix uninitialised variable usage [BlueZ,08/15] shared/bap: Fix possible use-after-free [BlueZ,09/15] isotest: Fix bad free [BlueZ,10/15] test-runner: Fix fd leak on failure [BlueZ,11/15] isotest: Fix string size expectations [BlueZ,12/15] mgmt-tester: Fix non-nul-terminated string [BlueZ,13/15] gdbus: Check sprintf retval [BlueZ,14/15] shared/bap: Fix memory leak in error path [BlueZ,15/15] android/handsfree: Check sprintf retval

Message ID

20240516090340.61417-3-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

0a1159dc105533e3f07cd252d1fd271967d8f4d6

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 02/15] shared/ecc: Fix uninitialised variable usage
Date: Thu, 16 May 2024 11:03:06 +0200
Message-ID: <20240516090340.61417-3-hadess@hadess.net>
In-Reply-To: <20240516090340.61417-1-hadess@hadess.net>
References: <20240516090340.61417-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #2 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 5: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero"." 7: B3 Line contains hard tab characters (\t): "884\| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));" 8: B3 Line contains hard tab characters (\t): "885\|-> } while (ecc_point_is_zero(&pk));" 10: B3 Line contains hard tab characters (\t): "887\| ecc_native2bytes(priv, private_key);" 13: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 14: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero"." 15: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.y" when calling "ecc_point_is_zero"." 17: B3 Line contains hard tab characters (\t): "884\| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));" 18: B3 Line contains hard tab characters (\t): "885\|-> } while (ecc_point_is_zero(&pk));" 20: B3 Line contains hard tab characters (\t): "887\| ecc_native2bytes(priv, private_key);" 23: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 24: B1 Line exceeds max length (121>80): "bluez-5.75/src/shared/ecc.c:889:2: uninit_use_in_call: Using uninitialized value "*pk.y" when calling "ecc_native2bytes"." 25: B3 Line contains hard tab characters (\t): "887\| ecc_native2bytes(priv, private_key);" 26: B3 Line contains hard tab characters (\t): "888\| ecc_native2bytes(pk.x, public_key);" 27: B3 Line contains hard tab characters (\t): "889\|-> ecc_native2bytes(pk.y, &public_key[32]);" 29: B3 Line contains hard tab characters (\t): "891\| return true;"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 5: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero"." 7: B3 Line contains hard tab characters (\t): "884| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));" 8: B3 Line contains hard tab characters (\t): "885|-> } while (ecc_point_is_zero(&pk));" 10: B3 Line contains hard tab characters (\t): "887| ecc_native2bytes(priv, private_key);" 13: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 14: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero"." 15: B1 Line exceeds max length (133>80): "bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.y" when calling "ecc_point_is_zero"." 17: B3 Line contains hard tab characters (\t): "884| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));" 18: B3 Line contains hard tab characters (\t): "885|-> } while (ecc_point_is_zero(&pk));" 20: B3 Line contains hard tab characters (\t): "887| ecc_native2bytes(priv, private_key);" 23: B1 Line exceeds max length (89>80): "bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer." 24: B1 Line exceeds max length (121>80): "bluez-5.75/src/shared/ecc.c:889:2: uninit_use_in_call: Using uninitialized value "*pk.y" when calling "ecc_native2bytes"." 25: B3 Line contains hard tab characters (\t): "887| ecc_native2bytes(priv, private_key);" 26: B3 Line contains hard tab characters (\t): "888| ecc_native2bytes(pk.x, public_key);" 27: B3 Line contains hard tab characters (\t): "889|-> ecc_native2bytes(pk.y, &public_key[32]);" 29: B3 Line contains hard tab characters (\t): "891| return true;"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera May 16, 2024, 9:03 a.m. UTC

Error: UNINIT (CWE-457): [#def41] [important]
bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer.
bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero".
883|
884|		ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));
885|->	} while (ecc_point_is_zero(&pk));
886|
887|	ecc_native2bytes(priv, private_key);

Error: UNINIT (CWE-457): [#def42] [important]
bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer.
bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero".
bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.y" when calling "ecc_point_is_zero".
883|
884|		ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));
885|->	} while (ecc_point_is_zero(&pk));
886|
887|	ecc_native2bytes(priv, private_key);

Error: UNINIT (CWE-457): [#def43] [important]
bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer.
bluez-5.75/src/shared/ecc.c:889:2: uninit_use_in_call: Using uninitialized value "*pk.y" when calling "ecc_native2bytes".
887|	ecc_native2bytes(priv, private_key);
888|	ecc_native2bytes(pk.x, public_key);
889|->	ecc_native2bytes(pk.y, &public_key[32]);
890|
891|	return true;
---
 src/shared/ecc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/shared/ecc.c b/src/shared/ecc.c
index adaae2082e1f..02bccbd430f6 100644
--- a/src/shared/ecc.c
+++ b/src/shared/ecc.c
@@ -870,6 +870,8 @@  bool ecc_make_key(uint8_t public_key[64], uint8_t private_key[32])
 	uint64_t priv[NUM_ECC_DIGITS];
 	unsigned int tries = 0;
 
+	memset(&pk, 0, sizeof(pk));
+
 	do {
 		if (!get_random_number(priv) || (tries++ >= MAX_TRIES))
 			return false;