From patchwork Fri Jul 5 08:57:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724600 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5149A13C809 for ; Fri, 5 Jul 2024 08:59:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=VW0XAJ+FLqjJOtT0IGbZDJowygrKJkLJtN0Dmx9fgxUBp1HfO4S2H0yMclkFKKju6LEOgfBiecW8GTgRHUfMkTlYMC5j3/Eu1OlRBr00egs8bwjgxutWFncLprNfb3qQ7Mr71LGb51T+TNjUF/e5F3rnQ9iSXmPkKA8qLuVTrLk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=4UgF2Ma8Ry2HBALH6UqTPjSXhuSqVk4ELQyVT++w4ts=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=S134lXEzh2BYQxyqeMrPCQuOwlYJ3z9bcjtNNRZrdskeT3uiXYw8RG/ux6R5t16tbq+/p/NfBNcoZWwSstOrMFuGD7+UQKGRzlDys4GvgwxZ6keinsO8UhcZQ9eYV9zakb1fGoZPvlOZ0MYEf6P3DfwEz9PfxcALTXmRJDHfbBo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 2BA2460006; Fri, 5 Jul 2024 08:59:36 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 01/11] gatt-server: Don't allocate negative data Date: Fri, 5 Jul 2024 10:57:29 +0200 Message-ID: <20240705085935.1255725-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Set a lower-bound to the data MTU to avoid allocating -1 elements if bt_att_get_mtu() returns zero. Error: OVERRUN (CWE-119): [#def36] [important] bluez-5.76/src/shared/gatt-server.c:1121:2: zero_return: Function call "bt_att_get_mtu(server->att)" returns 0. bluez-5.76/src/shared/gatt-server.c:1121:2: assignment: Assigning: "data->mtu" = "bt_att_get_mtu(server->att)". The value of "data->mtu" is now 0. bluez-5.76/src/shared/gatt-server.c:1123:19: assignment: Assigning: "__n" = "(size_t)(data->mtu - 1UL)". The value of "__n" is now 18446744073709551615. bluez-5.76/src/shared/gatt-server.c:1123:19: assignment: Assigning: "__s" = "1UL". bluez-5.76/src/shared/gatt-server.c:1123:19: overrun-buffer-arg: Calling "memset" with "__p" and "__n * __s" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 1121| data->mtu = bt_att_get_mtu(server->att); 1122| data->length = 0; 1123|-> data->rsp_data = new0(uint8_t, data->mtu - 1); 1124| 1125| return data; --- src/shared/gatt-server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index 3a53d5dfde6b..66e370d1fe3d 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -1120,7 +1120,7 @@ static struct read_mult_data *read_mult_data_new(struct bt_gatt_server *server, data->cur_handle = 0; data->mtu = bt_att_get_mtu(server->att); data->length = 0; - data->rsp_data = new0(uint8_t, data->mtu - 1); + data->rsp_data = new0(uint8_t, MAX(data->mtu, 1) - 1); return data; } From patchwork Fri Jul 5 08:57:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724593 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64659145B35 for ; Fri, 5 Jul 2024 08:59:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169985; cv=none; b=M2yy+EsxI/qPy5ykuEFpbDy/82MTn4zsYCbIUxbAWT8Aw/kxCSSBUgJAYuCUj2C9Jq6q0vOSsLMcCjnfL/Dqp17PPT0nzkDRvkKVePNH4Fc7JlraQ1WhDOT64Mpx01/+dcTTPwBDklvrl+8juHeKnNj7VzOJVzYooLuHijiOH1w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169985; c=relaxed/simple; bh=4ytoBu9zBmLCrOkNhrHSufutx9uCfY9Mn/5GXh3TmSs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P+9ypZv1gWG9OA/5IKT7/zIoDfWzIUPNIgFcV1XdUIWQ7lPrfZoP5MnXXRPC/EGefiskM2sxKFq+XWnv2POUirVXPlEU10Bc7DvrRwBBQhEYspWnu+Vbsg/3EC7FRFf2MPr0Hw9jR4zMHs0HnM9l28F7o6/F/AxsAGC6G6wAThs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 6D9786000A; Fri, 5 Jul 2024 08:59:36 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 02/11] shared/shell: Free memory allocated by wordexp() Date: Fri, 5 Jul 2024 10:57:30 +0200 Message-ID: <20240705085935.1255725-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def38] [important] bluez-5.76/src/shared/shell.c:519:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:523:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 521| "Unable to parse mandatory command arguments: %s", man ); 522| free(man); 523|-> return -EINVAL; 524| } 525| Error: RESOURCE_LEAK (CWE-772): [#def40] [important] bluez-5.76/src/shared/shell.c:1113:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1114:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1112| 1113| if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) 1114|-> return NULL; 1115| 1116| matches = menu_completion(default_menu, text, w.we_wordc, Error: RESOURCE_LEAK (CWE-772): [#def42] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1415:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1413| switch (err) { 1414| case WRDE_BADCHAR: 1415|-> return -EBADMSG; 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: Error: RESOURCE_LEAK (CWE-772): [#def43] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1418:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: 1418|-> return -EINVAL; 1419| case WRDE_NOSPACE: 1420| return -ENOMEM; Error: RESOURCE_LEAK (CWE-772): [#def44] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1420:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1418| return -EINVAL; 1419| case WRDE_NOSPACE: 1420|-> return -ENOMEM; 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) Error: RESOURCE_LEAK (CWE-772): [#def45] [important] bluez-5.76/src/shared/shell.c:1422:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1423:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) 1423|-> return -ENOEXEC; 1424| break; 1425| }; --- src/shared/shell.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index add4fa131c7a..e8f75124f167 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -452,13 +452,23 @@ static void shell_print_menu_zsh_complete(void) } } +static int _wordexp(const char *restrict s, wordexp_t *restrict p, int flags) +{ + int ret; + + ret = wordexp(s, p, flags); + if (ret != 0) + wordfree(p); + return ret; +} + static int parse_args(char *arg, wordexp_t *w, char *del, int flags) { char *str; str = strdelimit(arg, del, '"'); - if (wordexp(str, w, flags)) { + if (_wordexp(str, w, flags) != 0) { free(str); return -EINVAL; } @@ -537,7 +547,7 @@ static int cmd_exec(const struct bt_shell_menu_entry *entry, goto fail; } - flags |= WRDE_APPEND; + flags |= WRDE_APPEND | WRDE_REUSE; opt = strdup(entry->arg + len + 1); optional: @@ -1043,7 +1053,7 @@ static char **args_completion(const struct bt_shell_menu_entry *entry, int argc, args.we_offs = 0; wordfree(&args); - if (wordexp(str, &args, WRDE_NOCMD)) + if (_wordexp(str, &args, WRDE_NOCMD)) goto done; rl_completion_display_matches_hook = NULL; @@ -1115,7 +1125,7 @@ static char **shell_completion(const char *text, int start, int end) if (start > 0) { wordexp_t w; - if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) + if (_wordexp(rl_line_buffer, &w, WRDE_NOCMD)) return NULL; matches = menu_completion(default_menu, text, w.we_wordc, @@ -1416,7 +1426,7 @@ int bt_shell_exec(const char *input) if (data.monitor) bt_log_printf(0xffff, data.name, LOG_INFO, "%s", input); - err = wordexp(input, &w, WRDE_NOCMD); + err = _wordexp(input, &w, WRDE_NOCMD); switch (err) { case WRDE_BADCHAR: return -EBADMSG; @@ -1426,7 +1436,7 @@ int bt_shell_exec(const char *input) case WRDE_NOSPACE: return -ENOMEM; case WRDE_CMDSUB: - if (wordexp(input, &w, 0)) + if (_wordexp(input, &w, 0)) return -ENOEXEC; break; }; From patchwork Fri Jul 5 08:57:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724597 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96306145FF5 for ; Fri, 5 Jul 2024 08:59:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=ASoyvSuGW4Yd53nvPo5agUel83gdTyU/aoP00qgFPWAWlZG8b3hf+M2lwJMOXr+sn8C7hzm18DDLEUdNn6i1xmLMyHaRUKBLcgfaBVVJJWZ1NeLpObo4vL0cciJio1/9rd6SiVHkJbLsb8IIIsBiK11pKXeaW9+AywKzMNnisbE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=CedVCQo+0GKkgNKCCmvoilaB3g6qvmzHgL4rtjOFtPo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MZFvh6pYWzexm8f5fnncmI+1ixpbkrB07J2W3Gu09vvCTsLwfzUTByjZ7Bq/zPHlm76o091FvPyeHgqiSyCdeYMK85CX2v07RwkM+6fhnf0/f5aGBbdZI35b7JIhpmvYLVfy76G+0wZT9jRhpxcm3k8csvHaKcBgy3vsa7cfMik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id B6EF66000D; Fri, 5 Jul 2024 08:59:36 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 03/11] shared/shell: Fix fd leak if -s is passed multiple times Date: Fri, 5 Jul 2024 10:57:31 +0200 Message-ID: <20240705085935.1255725-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def37] [important] bluez-5.76/src/shared/shell.c:1305:5: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] bluez-5.76/src/shared/shell.c:1305:5: var_assign: Assigning: "data.init_fd" = handle returned from "open(optarg, 0)". bluez-5.76/src/shared/shell.c:1305:5: overwrite_var: Overwriting handle "data.init_fd" in "data.init_fd = open(optarg, 0)" leaks the handle. 1303| case 's': 1304| if (optarg) 1305|-> data.init_fd = open(optarg, O_RDONLY); 1306| if (data.init_fd < 0) 1307| printf("Unable to open %s: %s (%d)\n", optarg, --- src/shared/shell.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index e8f75124f167..f3dc5e55b9ec 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1312,11 +1312,12 @@ void bt_shell_init(int argc, char **argv, const struct bt_shell_opt *opt) data.mode = 1; goto done; case 's': - if (optarg) + if (optarg && data.init_fd < 0) { data.init_fd = open(optarg, O_RDONLY); - if (data.init_fd < 0) - printf("Unable to open %s: %s (%d)\n", optarg, + if (data.init_fd < 0) + printf("Unable to open %s: %s (%d)\n", optarg, strerror(errno), errno); + } break; case 't': if (optarg) From patchwork Fri Jul 5 08:57:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724598 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96271145FE0 for ; Fri, 5 Jul 2024 08:59:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=JeGl62AGe6/K3HDxeVt0n1BEi1Djc4aAAQY2RImHE6M/nTX4fowyj6CCltCmKVizA2RW2HI2IaZtM5O1GA5kmqnKOxTR/3/uBBCgUK8yrPYgMzQ1kZN9exxtIkzmqUj9IUhTVhNdA/pUBZy4/zuXTx6OuUGB95a4FhUzNNsuJjE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=lvIg2+dDecXMydPp3QRxG42uiS2BVeRFzszFwjtEl44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qClbhdsgoIggcQ8gMKz59vf9TiC8xS4CIgPiOdOcLGfd+Drs1nwKfmwMoPkRlC6kxcFq8uDdUl7mYjd2HhfL6f2pcZQFrNKSngi8p8PXfyWzoIYHLh6RZnQZt/79Hxmin8XZzyLnSF+vlYjkSVOrEOvcaMVTDVAldGw/oDu95cs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 06CF860005; Fri, 5 Jul 2024 08:59:36 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 04/11] btsnoop: Fix possible negative memcpy length Date: Fri, 5 Jul 2024 10:57:32 +0200 Message-ID: <20240705085935.1255725-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow. 471| /* next 4 bytes are data len and cid */ 472| current_cid = buf[8] << 8 | buf[7]; 473|-> memcpy(pdu_buf, buf + 9, len - 9); 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow. 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { 476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5); 477| pdu_len += len - 5; 478| } --- tools/btsnoop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btsnoop.c b/tools/btsnoop.c index efaa45db41dd..0bd28b65b6e1 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -448,7 +448,7 @@ next_packet: acl_flags = buf[2] >> 4; /* use only packet with ACL start flag */ - if (acl_flags & 0x02) { + if ((acl_flags & 0x02) && len > 9) { if (current_cid == 0x0040 && pdu_len > 0) { int i; if (!pdu_first) @@ -472,7 +472,7 @@ next_packet: current_cid = buf[8] << 8 | buf[7]; memcpy(pdu_buf, buf + 9, len - 9); pdu_len = len - 9; - } else if (acl_flags & 0x01) { + } else if ((acl_flags & 0x01) && len > 5) { memcpy(pdu_buf + pdu_len, buf + 5, len - 5); pdu_len += len - 5; } From patchwork Fri Jul 5 08:57:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724594 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 962C9145FED for ; Fri, 5 Jul 2024 08:59:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169986; cv=none; b=kIxoVlMwwLH3TOKpdTkpYPr+YLnJoMkU//Cw8LUiLpK23j3Hx2OCNBBJ6qTVk+bfXFg1JuFQrPEQaEOvdch0UaE3TC7gsIfwXrE/oTpjDJOeVeeSh/V87o4RrNM4j6gSEgjOI+7kj1ebiqmdYR2pmpJe5c85pWNtmQ6vRvDY4rc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169986; c=relaxed/simple; bh=gcgUu0Tuh8qeZ3Gh7h2fkiGCf8wsPAt8jwuDMZhbNS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ep6MEA6Y6naWRSlacjhsi38jqZDyECCAO3Z4uZBi0EK9iq/Wv+xs5pSBVi3HxBUGJHA4eoL0GY2357i/wIJU1tuoO9uklBnAqTBVZG9rDLPjwj4IYCmBMRMX5Q4mHGyDi72Yg1tUjfqa/GcJR1vjHf0Sujk4P6EBQ4NVM6pZx6E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 4C9206000E; Fri, 5 Jul 2024 08:59:37 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 05/11] sdp: Fix possible null dereference Date: Fri, 5 Jul 2024 10:57:33 +0200 Message-ID: <20240705085935.1255725-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net From the BlueZ scanbot: lib/sdp.c:586:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd') d->attrId = attr; ~ ^ lib/sdp.c:967:10: warning: Access to field 'dtd' results in a dereference of a null pointer (loaded from variable 'd') switch (d->dtd) { ^~~~~~ --- lib/sdp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index b64245f668d3..e260a5a9663e 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -582,6 +582,8 @@ int sdp_attr_add(sdp_record_t *rec, uint16_t attr, sdp_data_t *d) if (p) return -1; + if (!d) + return -1; d->attrId = attr; rec->attrlist = sdp_list_insert_sorted(rec->attrlist, d, sdp_attrid_comp_func); @@ -964,6 +966,8 @@ static void data_seq_free(sdp_data_t *seq) void sdp_data_free(sdp_data_t *d) { + if (!d) + return; switch (d->dtd) { case SDP_SEQ8: case SDP_SEQ16: From patchwork Fri Jul 5 08:57:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724596 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BF1A14600D for ; Fri, 5 Jul 2024 08:59:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=NNSUs+Gy1+sicwXEo0vI5yk4m8MmF0LzPQC407fOo4FOU4zRIM7SjZ4vc4A1x07fyrg2Z8XSM8bP4GINQiN0dIELDnf1kArQf60WvQNcY2YNLq8U9sbS0iG+ZSocMMYcRAsuaCf1CWqCaBeOoAMDzIHdKXXjQzYt8z69eOJ6dU8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=N4pEx5sWh9VmjRl91OoGtPCKaGhZxguLOuuAogGpyCQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SI/hBqvuEprA4/Kgya4ybyuZvL0AaQ97SqvWLFw6MnTTLh9leu4ga8EohnoOzalNsiWSndJ9y6JpcFSkI6qkMvTCl3dIemCts6vg3fSMcI+jcfc4MNWABNEIow4NlXzEY4YeoMi32bf3GC2dqSkOIHjhsseLdyW936Dg+TWfNFE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 8E11260010; Fri, 5 Jul 2024 08:59:37 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 06/11] sdp: Fix mismatched int casting Date: Fri, 5 Jul 2024 10:57:34 +0200 Message-ID: <20240705085935.1255725-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index e260a5a9663e..411a95b8a7d3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -506,7 +506,7 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length, for (i = 0; i < len; i++) { sdp_data_t *data; - int8_t dtd = *(uint8_t *) dtds[i]; + uint8_t dtd = *(uint8_t *) dtds[i]; if (dtd >= SDP_SEQ8 && dtd <= SDP_ALT32) data = (sdp_data_t *) values[i]; From patchwork Fri Jul 5 08:57:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724599 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5786B145FF8 for ; Fri, 5 Jul 2024 08:59:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=B5H5oyuQTq0KEDyLch1j5+lDRH86CfyMRIiH4qV6BOhpGsVLL2T3xGZIw78fVkwD9rxBC02XnaYTiOpeNhBmF8vgkUQMetltx8XqgS74D3dAuXU+q0DEgLgM6UWDdIb9gXnqn+vXyZB3vLBjjmrkyomodk573A433TQAHDE13X0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=E0SSEybmdjBxLSSaKZC832oxacklCxLzNzdU7QbqVes=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Tb9AHVaEC4NPBBldE3ISO9GSU/aesw3YHGHWTMb1s22PsvNcf1rN+xDR1muG+oSLAxFguAWAeJNOOGkdyaEls2dmZomO+8aIvPheFJCmMjmxITMNMX3D8Ha5VB8+BcNZOdFV248WJKvDBmhUS7SU0IdswZotEAneH3iS4JStjd8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id E4C9860012; Fri, 5 Jul 2024 08:59:37 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 07/11] emulator: Fix integer truncation warnings Date: Fri, 5 Jul 2024 10:57:35 +0200 Message-ID: <20240705085935.1255725-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important] bluez-5.76/emulator/amp.c:693:2: cast_overflow: Truncation due to cast operation on "(remain_assoc_len > 248) ? 248 : remain_assoc_len" from 32 to 16 bits. bluez-5.76/emulator/amp.c:693:2: overflow_assign: "fragment_len" is assigned from "(remain_assoc_len > 248) ? 248 : remain_assoc_len". bluez-5.76/emulator/amp.c:698:2: overflow_sink: "fragment_len", which might have overflowed, is passed to "memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far, fragment_len)". [Note: The source code implementation of the function has been overridden by a builtin model.] 696| rsp.phy_handle = cmd->phy_handle; 697| rsp.remain_assoc_len = cpu_to_le16(remain_assoc_len); 698|-> memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far, 699| fragment_len); 700| Error: INTEGER_OVERFLOW (CWE-190): [#def2] [important] bluez-5.76/emulator/amp.c:701:2: cast_overflow: Truncation due to cast operation on "4 + fragment_len" from 32 to 8 bits. bluez-5.76/emulator/amp.c:701:2: overflow_sink: "4 + fragment_len", which might have overflowed, is passed to "cmd_complete(amp, 5130, &rsp, 4 + fragment_len)". 699| fragment_len); 700| 701|-> cmd_complete(amp, BT_HCI_CMD_READ_LOCAL_AMP_ASSOC, 702| &rsp, 4 + fragment_len); 703| } Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important] bluez-5.76/emulator/bthost.c:3309:3: cast_overflow: Truncation due to cast operation on "len - offset" from 32 to 8 bits. bluez-5.76/emulator/bthost.c:3309:3: overflow_assign: "cp->data_len" is assigned from "len - offset". bluez-5.76/emulator/bthost.c:3317:2: overflow_sink: "cp->data_len", which might have overflowed, is passed to "memcpy(cp->data, data + offset, cp->data_len)". [Note: The source code implementation of the function has been overridden by a builtin model.] 3315| } 3316| 3317|-> memcpy(cp->data, data + offset, cp->data_len); 3318| 3319| send_command(bthost, BT_HCI_CMD_LE_SET_PA_DATA, buf, --- emulator/amp.c | 3 ++- emulator/bthost.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/emulator/amp.c b/emulator/amp.c index 49d2df7b39df..6daf00189f3a 100644 --- a/emulator/amp.c +++ b/emulator/amp.c @@ -680,7 +680,8 @@ static void cmd_read_local_amp_assoc(struct bt_amp *amp, { const struct bt_hci_cmd_read_local_amp_assoc *cmd = data; struct bt_hci_rsp_read_local_amp_assoc rsp; - uint16_t len_so_far, remain_assoc_len, fragment_len; + uint16_t len_so_far, remain_assoc_len; + size_t fragment_len; if (cmd->phy_handle != amp->phy_handle) { cmd_status(amp, BT_HCI_ERR_INVALID_PARAMETERS, diff --git a/emulator/bthost.c b/emulator/bthost.c index cc9bf7240531..95160506d0c4 100644 --- a/emulator/bthost.c +++ b/emulator/bthost.c @@ -3290,6 +3290,7 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, { struct bt_hci_cmd_le_set_pa_data *cp; uint8_t buf[sizeof(*cp) + BT_PA_MAX_DATA_LEN]; + size_t data_len; cp = (void *)buf; @@ -3299,14 +3300,14 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, cp->handle = 1; if (len - offset > BT_PA_MAX_DATA_LEN) { - cp->data_len = BT_PA_MAX_DATA_LEN; + data_len = BT_PA_MAX_DATA_LEN; if (!offset) cp->operation = 0x01; else cp->operation = 0x00; } else { - cp->data_len = len - offset; + data_len = len - offset; if (!offset) cp->operation = 0x03; @@ -3314,7 +3315,8 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, cp->operation = 0x02; } - memcpy(cp->data, data + offset, cp->data_len); + memcpy(cp->data, data + offset, data_len); + cp->data_len = data_len; send_command(bthost, BT_HCI_CMD_LE_SET_PA_DATA, buf, sizeof(*cp) + cp->data_len); From patchwork Fri Jul 5 08:57:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724595 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58EC1145FFF for ; Fri, 5 Jul 2024 08:59:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=egMuZ4Y0mYVDXKkQM8CD67I2/PofDPXYL5piJTdFL43MKEsYfOAJFmfVnMtOwSiCO6dtax9zC/Uxc9Jq3uCToQCbjN/5PybO1ZrCrXov5jE/W8MpYUJh0LpRsioVfppLPyqFW8HTDwg4wZOG6+We/AY1bnkTZ/LGLdQwgK2xvWg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=ch4jcXh4i5Ulh/ewP/akSPzoVSZeMohj51lCQNNSAcg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dgyQmntqKG5TknqV5nw7qLKwmaJgEWyIZjqKUXBlPfuZHJ5b9mQ0erBW6NpA/9aD1vavw3CSJYgxqoeQFPjeZzdYMia8/dKA3O6L09xcn1NLYCEsMU25W72TErd/oR8q5NwU0FOsg1zcyF1aE8LyvN6zs70wbMioMMMNO5GFyA8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 3C29B60014; Fri, 5 Jul 2024 08:59:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 08/11] gatt-server: Fix integer overflow due to cast operation Date: Fri, 5 Jul 2024 10:57:36 +0200 Message-ID: <20240705085935.1255725-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def25] [important] bluez-5.76/src/shared/gatt-server.c:927:2: cast_overflow: Truncation due to cast operation on "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len" from 32 to 16 bits. bluez-5.76/src/shared/gatt-server.c:927:2: overflow_sink: "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len", which might have overflowed, is passed to "bt_att_chan_send(op->chan, rsp_opcode, (len ? value : NULL), (((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len), NULL, NULL, NULL)". 925| rsp_opcode = get_read_rsp_opcode(op->opcode); 926| 927|-> bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL, 928| MIN((unsigned int) mtu - 1, len)); 929| async_read_op_destroy(op); --- src/shared/gatt-server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index 66e370d1fe3d..e0e1776779cd 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -908,7 +908,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, struct async_read_op *op = user_data; struct bt_gatt_server *server = op->server; uint8_t rsp_opcode; - uint16_t mtu; + size_t mtu; uint16_t handle; DBG(server, "Read Complete: err %d", err); @@ -916,7 +916,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, mtu = bt_att_get_mtu(server->att); handle = gatt_db_attribute_get_handle(attr); - if (err) { + if (err || mtu <= 1) { bt_att_chan_send_error_rsp(op->chan, op->opcode, handle, err); async_read_op_destroy(op); return; @@ -925,7 +925,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, rsp_opcode = get_read_rsp_opcode(op->opcode); bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL, - MIN((unsigned int) mtu - 1, len)); + MIN(mtu - 1, len)); async_read_op_destroy(op); } From patchwork Fri Jul 5 08:57:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724601 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A43D146000 for ; Fri, 5 Jul 2024 08:59:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; cv=none; b=nyF9figiJX7AzNF0i61RzstUYNhLH0iScZbP+mtr9LpHPzOQOT6LY0xAZWQ4Zj6dOL5Kw73Q8dzVI9m7jMC+SsWnqYMvfoWc+RNTqKMmsAt18ZKtcqXnVkF92xnWeYK7jBR2WfOSslyryG5By71SxBWsP/Rg6ZaA3wNK//v5IkY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; c=relaxed/simple; bh=U4KEV9TgE6LjgN4RoBixXnh2IWZFkli8ThUMjKtBNkc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZeGyi12LZHiCqTkd+YHHosh7JRGC45TGmcMDJwVV4a0JA2ri4ySKIn80o1umEyBAmnDwgYmIS1kI3tsjkletEhZ2YjzDKu9htNa2iRN8y5KqvVoqvhjCHd4OQCX40/iNu5afVInXpkZ4ULAQe5e9uE9JC4aJfTOusVK0i2dC+UQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 7F14760013; Fri, 5 Jul 2024 08:59:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 09/11] mesh: Fix integer overflow due to cast operation Date: Fri, 5 Jul 2024 10:57:37 +0200 Message-ID: <20240705085935.1255725-10-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important] bluez-5.76/mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits. bluez-5.76/mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed". bluez-5.76/mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.] 175| 176| buf[6] = (i << 2) | 0x02; 177|-> memcpy(buf + 7, data + consumed, seg_size); 178| 179| pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500, Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important] bluez-5.76/mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits. bluez-5.76/mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)". 177| memcpy(buf + 7, data + consumed, seg_size); 178| 179|-> pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500, 180| buf, seg_size + 7); --- mesh/pb-adv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mesh/pb-adv.c b/mesh/pb-adv.c index 385d81d65731..7a1dd87dc210 100644 --- a/mesh/pb-adv.c +++ b/mesh/pb-adv.c @@ -166,7 +166,7 @@ static void send_adv_segs(struct pb_adv_session *session, const uint8_t *data, consumed = init_size; for (i = 1; i <= max_seg; i++) { - uint8_t seg_size; /* Amount of payload data being sent */ + size_t seg_size; /* Amount of payload data being sent */ if (size - consumed > PB_ADV_MTU - 1) seg_size = PB_ADV_MTU - 1; From patchwork Fri Jul 5 08:57:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724603 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 400E6146A60 for ; Fri, 5 Jul 2024 08:59:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; cv=none; b=qbPekiN535/68363XTPE1Gzt18AfuYKezJQ0ZH3GMB31AKyPdcuuMChSztzeXZDLaZCshJmrFpC8UqHIhag4OagQaFcPe/qvQbLu+T3scLpoyrdh/OIhy4Pq/8B3I0VLcFUcN4y9PfR+kkeeKZ+H/aHsNWbMrvejOIRnTnONFpk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; c=relaxed/simple; bh=Bqb/W9BrI9D8dcn80tc3ENCkVOs/okLu+esYf5FPaEI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IDHbxmeCk8SYqlScOZcjg113/hvZgje56hisTEO4YqXaW5u7nzagzaMo4/1Jav1b2i/EowUstFxInPRKwN6NrKsUj/44V9RrgE/WfSdP/IeMotaCtpClfpNK6obqMNRTbGu9Ts4EcpZL0C9Efi739nTO1NmulPO1pTguTYmW0vY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id C31CF60004; Fri, 5 Jul 2024 08:59:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 10/11] tools/mesh: Fix integer overflow due to cast operation Date: Fri, 5 Jul 2024 10:57:38 +0200 Message-ID: <20240705085935.1255725-11-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def29] [important] bluez-5.76/tools/mesh/mesh-db.c:551:3: cast_overflow: Truncation due to cast operation on "ele_cnt" from 32 to 8 bits. bluez-5.76/tools/mesh/mesh-db.c:551:3: overflow_sink: "ele_cnt", which might have overflowed, is passed to "remote_add_node((uint8_t const *)uuid, unicast, ele_cnt, key_idx)". 549| continue; 550| 551|-> remote_add_node((const uint8_t *)uuid, unicast, ele_cnt, 552| key_idx); 553| for (j = 1; j < key_cnt; j++) { --- tools/mesh/mesh-db.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c index 1d047691d240..4c74e874986c 100644 --- a/tools/mesh/mesh-db.c +++ b/tools/mesh/mesh-db.c @@ -503,7 +503,8 @@ static void load_remotes(json_object *jcfg) uint8_t uuid[16]; uint16_t unicast, key_idx; const char *str; - int ele_cnt, key_cnt; + uint8_t ele_cnt; + int key_cnt; int j; jnode = json_object_array_get_idx(jnodes, i); @@ -528,14 +529,12 @@ static void load_remotes(json_object *jcfg) continue; json_object_object_get_ex(jnode, "elements", &jarray); - if (!jarray || json_object_get_type(jarray) != json_type_array) + if (!jarray || json_object_get_type(jarray) != json_type_array || + json_object_array_length(jarray) > MAX_ELE_COUNT) continue; ele_cnt = json_object_array_length(jarray); - if (ele_cnt > MAX_ELE_COUNT) - continue; - json_object_object_get_ex(jnode, "netKeys", &jarray); if (!jarray || json_object_get_type(jarray) != json_type_array) continue; From patchwork Fri Jul 5 08:57:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13724602 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F3DFD1465AE for ; Fri, 5 Jul 2024 08:59:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; cv=none; b=ZMNSRzSuh22ZZxbXSAVGvnKjYu2rKb4vdYTA6QlCkHi0oeZ7EEBxyHhen7ce9BFDMagjt4kFcwN6+gaEqhOlNikm5H4C2PtXIZs0u6PD3PaBLun+Wm6frD71TfDfL9AdvLk9FuLJuLWJ1blwuAp9We4skSJ5cL4RadL6MmgOVwI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169988; c=relaxed/simple; bh=fRriLEuynZ4IQ9BNM3Bvu0fzJ1hoSPesVZtSGdTcsFg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p4G0CiOZl/sTXPlbMhJFc7tzCg5IWuaCXa3ODPn1NporxCMh7iT4lTbMKA1No/KRMRFGA/FuwDZWsDjUDxSnS/AmYxGQmN/ZKFx7oKJ6XDb5HfvTbHZNTFHrbWu8HnhrQkB1ye9vMVMGuEH07g3TvMHtanwPAH7CCFAZsfk/1OQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 146D560015; Fri, 5 Jul 2024 08:59:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 11/11] unit/ringbuf: Fix ineffective guard due to signedness Date: Fri, 5 Jul 2024 10:57:39 +0200 Message-ID: <20240705085935.1255725-12-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net "len - end > 0" can never be false because "end" is unsigned, so the whole left handside of the expression is unsigned, so always positive. Error: INTEGER_OVERFLOW (CWE-190): [#def22] [important] bluez-5.76/src/shared/ringbuf.c:240:2: ineffective_check: The check "len - end > 0UL", which appears to be a guard against integer overflow, is not a useful guard because it is either always true, or never true. This taints "len". bluez-5.76/src/shared/ringbuf.c:242:3: overflow: The expression "len - end" might be negative, but is used in a context that treats it as unsigned. bluez-5.76/src/shared/ringbuf.c:242:3: overflow_sink: "len - end", which might be negative, is passed to "memcpy(ringbuf->buffer, str + end, len - end)". [Note: The source code implementation of the function has been overridden by a builtin model.] 240| if (len - end > 0) { 241| /* Put the remainder of string at the beginning */ 242|-> memcpy(ringbuf->buffer, str + end, len - end); 243| 244| if (ringbuf->in_tracing) --- src/shared/ringbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/ringbuf.c b/src/shared/ringbuf.c index 3dc7ed71b2b2..1b7adbb4f513 100644 --- a/src/shared/ringbuf.c +++ b/src/shared/ringbuf.c @@ -237,7 +237,7 @@ int ringbuf_vprintf(struct ringbuf *ringbuf, const char *format, va_list ap) ringbuf->in_tracing(ringbuf->buffer + offset, end, ringbuf->in_data); - if (len - end > 0) { + if ((size_t) len > end) { /* Put the remainder of string at the beginning */ memcpy(ringbuf->buffer, str + end, len - end);