diff mbox series

libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()

Message ID 20241025183207.1827274-1-vmojzis@redhat.com (mailing list archive)
State Accepted
Commit 9b4eff9222b2
Headers show
Series libsemanage/direct_api: INTEGER_OVERFLOW read_len = read() | expand

Commit Message

Vit Mojzis Oct. 25, 2024, 6:32 p.m. UTC 
The following statement is always true if read_len is unsigned:
(read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0

Fixes:
 Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
 libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
 libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
 libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
 \#  596|   	}
 \#  597|
 \#  598|-> 	while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
 \#  599|   		data_read_len += read_len;
 \#  600|   		if (data_read_len == max_len) {

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 libsemanage/src/direct_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Carter Oct. 28, 2024, 5:15 p.m. UTC | #1 
On Fri, Oct 25, 2024 at 2:32 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> The following statement is always true if read_len is unsigned:
> (read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0
>
> Fixes:
>  Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
>  libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
>  libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
>  libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
>  libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
>  libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
>  \#  596|       }
>  \#  597|
>  \#  598|->     while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
>  \#  599|               data_read_len += read_len;
>  \#  600|               if (data_read_len == max_len) {
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsemanage/src/direct_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index d740070d..7631c7bf 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -582,7 +582,7 @@ cleanup:
>  static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
>  {
>         size_t max_len = initial_len;
> -       size_t read_len = 0;
> +       ssize_t read_len = 0;
>         size_t data_read_len = 0;
>         char *data_read = NULL;
>
> --
> 2.47.0
>
>
James Carter Oct. 30, 2024, 1:16 p.m. UTC | #2 
On Mon, Oct 28, 2024 at 1:15 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Oct 25, 2024 at 2:32 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> > The following statement is always true if read_len is unsigned:
> > (read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0
> >
> > Fixes:
> >  Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
> >  libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
> >  libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
> >  libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
> >  libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
> >  libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
> >  \#  596|       }
> >  \#  597|
> >  \#  598|->     while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
> >  \#  599|               data_read_len += read_len;
> >  \#  600|               if (data_read_len == max_len) {
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Merged.
Thanks,
Jim

> > ---
> >  libsemanage/src/direct_api.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index d740070d..7631c7bf 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -582,7 +582,7 @@ cleanup:
> >  static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
> >  {
> >         size_t max_len = initial_len;
> > -       size_t read_len = 0;
> > +       ssize_t read_len = 0;
> >         size_t data_read_len = 0;
> >         char *data_read = NULL;
> >
> > --
> > 2.47.0
> >
> >
diff mbox series

Patch

diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index d740070d..7631c7bf 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -582,7 +582,7 @@  cleanup:
 static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
 {
 	size_t max_len = initial_len;
-	size_t read_len = 0;
+	ssize_t read_len = 0;
 	size_t data_read_len = 0;
 	char *data_read = NULL;