[BlueZ,5/9] shared/mainloop: Fix integer overflow

Message ID	20240530150057.444585-6-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	6cf9117bfd3f3b19cd6cfcf32910e29e57a4b1f7
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3BF0145A01 for <linux-bluetooth@vger.kernel.org>; Thu, 30 May 2024 15:01:00 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 5/9] shared/mainloop: Fix integer overflow Date: Thu, 30 May 2024 16:57:59 +0200 Message-ID: <20240530150057.444585-6-hadess@hadess.net> In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #3 \| expand [BlueZ,0/9] Fix a number of static analysis issues #3 [BlueZ,1/9] rctest: Fix possible overrun [BlueZ,2/9] mgmt-tester: Fix buffer overrun [BlueZ,3/9] l2test: Add missing error checking [BlueZ,4/9] rfkill: Avoid using a signed int for an unsigned variable [BlueZ,5/9] shared/mainloop: Fix integer overflow [BlueZ,6/9] sdp: Fix ineffective error guard [BlueZ,7/9] obexd: Fix buffer overrun [BlueZ,8/9] bap: Fix more memory leaks on error [BlueZ,9/9] avdtp: Fix manipulating struct as an array

Message ID

20240530150057.444585-6-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

6cf9117bfd3f3b19cd6cfcf32910e29e57a4b1f7

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 5/9] shared/mainloop: Fix integer overflow
Date: Thu, 30 May 2024 16:57:59 +0200
Message-ID: <20240530150057.444585-6-hadess@hadess.net>
In-Reply-To: <20240530150057.444585-1-hadess@hadess.net>
References: <20240530150057.444585-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #3 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 9: B1 Line exceeds max length (107>80): "bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted." 10: B1 Line exceeds max length (107>80): "bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted." 11: B1 Line exceeds max length (136>80): "bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number." 13: B3 Line contains hard tab characters (\t): "136\| if (data && data->func)" 14: B3 Line contains hard tab characters (\t): "137\|-> data->func(si.ssi_signo, data->user_data);" 16: B3 Line contains hard tab characters (\t): "139\| return true;"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 9: B1 Line exceeds max length (107>80): "bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted." 10: B1 Line exceeds max length (107>80): "bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted." 11: B1 Line exceeds max length (136>80): "bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number." 13: B3 Line contains hard tab characters (\t): "136| if (data && data->func)" 14: B3 Line contains hard tab characters (\t): "137|-> data->func(si.ssi_signo, data->user_data);" 16: B3 Line contains hard tab characters (\t): "139| return true;"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera May 30, 2024, 2:57 p.m. UTC

signalfd_siginfo uses a u32 for the signal number, but siginfo_t uses a
signed integer for it, so an (unlikely) big value for the signal number
could result in a negative value being passed to the callbacks. Catch
that and bail early.

Error: INTEGER_OVERFLOW (CWE-190): [#def44] [important]
bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted.
bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted.
bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number.
135|
136|	if (data && data->func)
137|->		data->func(si.ssi_signo, data->user_data);
138|
139|	return true;
---
 src/shared/mainloop-notify.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/shared/mainloop-notify.c b/src/shared/mainloop-notify.c
index 33be3cf8d78e..11989512e013 100644
--- a/src/shared/mainloop-notify.c
+++ b/src/shared/mainloop-notify.c
@@ -15,6 +15,7 @@ 
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <errno.h>
+#include <limits.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stddef.h>
@@ -130,7 +131,7 @@  static bool signal_read(struct io *io, void *user_data)
 	fd = io_get_fd(io);
 
 	result = read(fd, &si, sizeof(si));
-	if (result != sizeof(si))
+	if (result != sizeof(si) || si.ssi_signo > INT_MAX)
 		return false;
 
 	if (data && data->func)