[BlueZ,5/8] mesh: Fix possible integer overflow

Message ID	20240805140840.1606239-6-hadess@hadess.net (mailing list archive)
State	New, archived
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AE53811E2 for <linux-bluetooth@vger.kernel.org>; Mon, 5 Aug 2024 14:08:44 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 5/8] mesh: Fix possible integer overflow Date: Mon, 5 Aug 2024 16:06:43 +0200 Message-ID: <20240805140840.1606239-6-hadess@hadess.net> In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #6 \| expand [BlueZ,0/8] Fix a number of static analysis issues #6 [BlueZ,1/8] sdp: Ensure size doesn't overflow [BlueZ,2/8] tools/isotest: Ensure ret doesn't overflow [BlueZ,3/8] health: mcap: Ensure sent doesn't overflow [BlueZ,4/8] shared/tester: Add early failure check [BlueZ,5/8] mesh: Fix possible integer overflow [BlueZ,6/8] shared/gatt-db: Fix possible buffer overrun [BlueZ,7/8] shared/btsnoop: Avoid underflowing toread variable [BlueZ,8/8] monitor: Check for possible integer underflow

Message ID

20240805140840.1606239-6-hadess@hadess.net (mailing list archive)

State

New, archived

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 5/8] mesh: Fix possible integer overflow
Date: Mon,  5 Aug 2024 16:06:43 +0200
Message-ID: <20240805140840.1606239-6-hadess@hadess.net>
In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net>
References: <20240805140840.1606239-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #6 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (120>80): "bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits." 5: B1 Line exceeds max length (95>80): "bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off"." 6: B1 Line exceeds max length (306>80): "bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)"." 8: B3 Line contains hard tab characters (\t): "3177\| /* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */" 9: B3 Line contains hard tab characters (\t): "3178\|-> if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src," 10: B3 Line contains hard tab characters (\t): "3179\| msg->remote, 0, msg->segmented," 11: B3 Line contains hard tab characters (\t): "3180\| msg->key_aid, msg->szmic, false,"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (120>80): "bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits." 5: B1 Line exceeds max length (95>80): "bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off"." 6: B1 Line exceeds max length (306>80): "bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)"." 8: B3 Line contains hard tab characters (\t): "3177| /* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */" 9: B3 Line contains hard tab characters (\t): "3178|-> if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src," 10: B3 Line contains hard tab characters (\t): "3179| msg->remote, 0, msg->segmented," 11: B3 Line contains hard tab characters (\t): "3180| msg->key_aid, msg->szmic, false,"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera Aug. 5, 2024, 2:06 p.m. UTC

Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important]
bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits.
bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off".
bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)".
3176|
3177|		/* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */
3178|->		if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src,
3179|						msg->remote, 0, msg->segmented,
3180|						msg->key_aid, msg->szmic, false,

X
---
 mesh/net.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/mesh/net.c b/mesh/net.c
index 05ca48326fc5..ef6a3133859a 100644
--- a/mesh/net.c
+++ b/mesh/net.c
@@ -3149,13 +3149,22 @@  static bool send_seg(struct mesh_net *net, uint8_t cnt, uint16_t interval,
 	uint32_t seq_num;
 
 	if (msg->segmented) {
+		if (msg->len < seg_off) {
+			l_error("Failed to build packet");
+			return false;
+		}
 		/* Send each segment on unique seq_num */
 		seq_num = mesh_net_next_seq_num(net);
 
-		if (msg->len - seg_off > SEG_OFF(1))
+		if (msg->len - seg_off > SEG_OFF(1)) {
 			seg_len = SEG_OFF(1);
-		else
+		} else {
+			if (msg->len - seg_off > UINT8_MAX) {
+				l_error("Failed to build packet");
+				return false;
+			}
 			seg_len = msg->len - seg_off;
+		}
 	} else {
 		/* Send on same seq_num used for Access Layer */
 		seq_num = msg->seqAuth;