From patchwork Mon Aug 5 14:06:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753666 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66FCB78685 for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=oItD1Z9W0XeoKD5h5WLMC4YrZJ4VAwmQQqEcK+v714/rttyVi7fm4rNAhro1bTEHrKGiW5CJhsNp2TM+i5JHHOHGP2+gaqO5h0Bw/VD5gcocd5cBCn7WDQNT+O3GBptA8K5jmveydRO3jHSmHgnUBHVc+gGc2xMAJIu4Jy8lmug= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=5zaz91anUO0jZjOxKnw2kj87TKZb2NE7EdsGGeFrdfY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mzgtnSSR3AbRSp8GOLK0L4DsPrEt8T4m+WuwoKF/w+SryHS4mH2EdmLZvpchHZweiMLYXZNn4Y3b7GzKHuASuVKIbo3AQwhpQXhg/Vsguf/wwIYbPMnA5RiYuCE1Yff7BTSsVlG19mMTIws7d7WWP9jhdGuPg7GdoTYa/qLyzyQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id B106220004; Mon, 5 Aug 2024 14:08:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 1/8] sdp: Ensure size doesn't overflow Date: Mon, 5 Aug 2024 16:06:39 +0200 Message-ID: <20240805140840.1606239-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important] bluez-5.77/lib/sdp.c:1685:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted. bluez-5.77/lib/sdp.c:1686:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/lib/sdp.c:1686:3: overflow_sink: "size - sent", which might have underflowed, is passed to "send(session->sock, buf + sent, size - sent, 0)". 1684| 1685| while (sent < size) { 1686|-> int n = send(session->sock, buf + sent, size - sent, 0); 1687| if (n < 0) 1688| return -1; --- lib/sdp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index 411a95b8a7d3..8a15ad803db1 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1678,13 +1678,13 @@ sdp_data_t *sdp_data_get(const sdp_record_t *rec, uint16_t attrId) return NULL; } -static int sdp_send_req(sdp_session_t *session, uint8_t *buf, uint32_t size) +static int sdp_send_req(sdp_session_t *session, uint8_t *buf, size_t size) { - uint32_t sent = 0; + size_t sent = 0; while (sent < size) { int n = send(session->sock, buf + sent, size - sent, 0); - if (n < 0) + if (n < 0 || sent > SIZE_MAX - n) return -1; sent += n; } From patchwork Mon Aug 5 14:06:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753667 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFD067D40D for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=mOnhL8S7y9e0KJ5qMC+E+JO8+yedlwtfateg8ZtDQ8Uw3RSA5DWWFXa2gclneI7sF2FBYaC//v7AKalpxzZteOYtlL8ms3JA+NyY/dMIugtK/bRdBQWsPX/qiRtIunQifYjR+5J4a7YaPHA1Za5K/6Ir1k4X2AF9VcboV12M1U0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=BdTQ8LZ6jZWoM+L9qDs8wG+nWa8UVCk+Cx+c7JD4cA8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Up3gDZPv2yU1OWj3qAUPtA9bWe53ulQNoLqkxU1aJcPq90uqa0GIdi57j0hX7cP+UWK5t9ghBMsDANrGKIucvg1LYso/0nTvWx6RW4epmO2KtYVI9Q2FuhwYHzCFG8SGmfcP5T9xCg0BEKLkRk9Jtsbz+Ml4BHPpckmAiUcjojs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 0653920005; Mon, 5 Aug 2024 14:08:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 2/8] tools/isotest: Ensure ret doesn't overflow Date: Mon, 5 Aug 2024 16:06:40 +0200 Message-ID: <20240805140840.1606239-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def20] [important] bluez-5.77/tools/isotest.c:778:2: tainted_data_argument: The check "ret < count" contains the tainted expression "ret" which causes "count" to be considered tainted. bluez-5.77/tools/isotest.c:779:3: overflow: The expression "count - ret" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/tools/isotest.c:779:3: overflow_sink: "count - ret", which might have underflowed, is passed to "read(fd, buf + ret, count - ret)". [Note: The source code implementation of the function has been overridden by a builtin model.] 777| 778| while (ret < count) { 779|-> len = read(fd, buf + ret, count - ret); 780| if (len < 0) 781| return -errno; --- tools/isotest.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/isotest.c b/tools/isotest.c index 2cac0e49cc39..0805faa66e47 100644 --- a/tools/isotest.c +++ b/tools/isotest.c @@ -779,6 +779,8 @@ static int read_stream(int fd, ssize_t count) len = read(fd, buf + ret, count - ret); if (len < 0) return -errno; + if (len > SSIZE_MAX - ret) + return -EOVERFLOW; ret += len; usleep(1000); From patchwork Mon Aug 5 14:06:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753663 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF70280631 for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866925; cv=none; b=IYyuF7o2DiisaOo0+uSSnvE81IEK58j5ENmWk0izCbZdKKd2GYno8b1wLALJp5TD1q0KY5pyDhou2S9hEJC/Pl7Uf7hnESsYuwU0hsJTpZQQKjTSbRZMLwhSxoJKQ8/ve1Dkl6hRBasD3XAUh4bQHXjH+HA7KXXbAt6gQ7Ydb0I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866925; c=relaxed/simple; bh=zK5PstR/J/SNhgoa834rHpP4N7yToufuA0WG/vN4QLY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G4EHgvkmVVQ68RjtCXbS0DYNGxw41aW+BvIc0tyR0Yupl+78mj1+gMBTsgbafZvMDjAQ6YFpvDD0Cw+HBk5yksDVErFUlIKWCPDR76UT1DJe0y/mxGq8SAf3WTMfOjleS43A31F4yMwzV+e0DQtzNH5B2j3UcTgOUonacPUHDwc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 57BD420007; Mon, 5 Aug 2024 14:08:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 3/8] health: mcap: Ensure sent doesn't overflow Date: Mon, 5 Aug 2024 16:06:41 +0200 Message-ID: <20240805140840.1606239-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def13] [important] bluez-5.77/profiles/health/mcap.c:390:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted. bluez-5.77/profiles/health/mcap.c:391:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/profiles/health/mcap.c:391:3: overflow_sink: "size - sent", which might have underflowed, is passed to "write(sock, buf_b + sent, size - sent)". 389| 390| while (sent < size) { 391|-> int n = write(sock, buf_b + sent, size - sent); 392| if (n < 0) 393| return -1; --- profiles/health/mcap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c index 2e4214a6984f..b3bf403e74d2 100644 --- a/profiles/health/mcap.c +++ b/profiles/health/mcap.c @@ -389,7 +389,7 @@ int mcap_send_data(int sock, const void *buf, uint32_t size) while (sent < size) { int n = write(sock, buf_b + sent, size - sent); - if (n < 0) + if (n < 0 || n > SSIZE_MAX - sent) return -1; sent += n; } From patchwork Mon Aug 5 14:06:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753664 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54C6180BFF for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=hYTSZYXCFtL92P/AruZWGG0rQM739PcpgAfjaI5l3/Z5XDTKmRl4yQjwYMaU+byhGb09GlyoGtXRq5mODyM6GPC4GM1AYeAbwAmst7Ol4CvknNpcy7SRJZfCmWve0zRUtophG0+EQS4LnHjKxoE842WoWj6WW9AWTIYXnUwWFmY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=Ov5XOLP4ntkCru0zKxTA2tMOaGaj6gnB+WOqzlkUa5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KPeydIBrlyOhdgxIjK9f7ovESMQ/xtcxrytwKv+jYRmFRyQw8Q5TBN4mI0uq3br02OtgcTlzagruwg205MlwD4qnxbbtna/v6C065U5jQo/3/navPFJ4dUt0VbMygg+gbEiGPHxTqdvjkuGCCjPnY1RraNGNHkUs2vR/xUapJwg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 9D34320008; Mon, 5 Aug 2024 14:08:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 4/8] shared/tester: Add early failure check Date: Mon, 5 Aug 2024 16:06:42 +0200 Message-ID: <20240805140840.1606239-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Add a similar assertion to the other tests to avoid passing negative len to tester_monitor() which might result in crashes. Error: OVERRUN (CWE-119): [#def13] [important] bluez-5.77/src/shared/tester.c:946:2: return_constant: Function call "io_send(io, iov, 1)" may return -107. bluez-5.77/src/shared/tester.c:946:2: assignment: Assigning: "len" = "io_send(io, iov, 1)". The value of "len" is now -107. bluez-5.77/src/shared/tester.c:948:2: overrun-buffer-arg: Calling "tester_monitor" with "iov->iov_base" and "len" is suspicious because of the very large index, 18446744073709551509. The index may be due to a negative parameter being interpreted as unsigned. 946| len = io_send(io, iov, 1); 947| 948|-> tester_monitor('<', 0x0004, 0x0000, iov->iov_base, len); 949| 950| g_assert_cmpint(len, ==, iov->iov_len); --- src/shared/tester.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/shared/tester.c b/src/shared/tester.c index 56c8cba6f578..3053025d7945 100644 --- a/src/shared/tester.c +++ b/src/shared/tester.c @@ -945,6 +945,8 @@ static bool test_io_send(struct io *io, void *user_data) len = io_send(io, iov, 1); + g_assert(len > 0); + tester_monitor('<', 0x0004, 0x0000, iov->iov_base, len); g_assert_cmpint(len, ==, iov->iov_len); From patchwork Mon Aug 5 14:06:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753665 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AE53811E2 for ; Mon, 5 Aug 2024 14:08:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=gcV4W70F4k5x1xoXWfD8jZedj3fEBnW2giE7HM0aePxSo+/DDW/K9QSpFtVE9qZiTlzzwupPwWlNQU5gfoUj5TAbIaCksv4j50eHSVnzvFFNdYJd2NHOR32eDrOovWxOwfZYTFnprX7Y4yHde8aDgoytSMf/BsVRJ4etHHxNVVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=6JFpXQZQ2Yvc8eAxLEiavBKVbaEu54L4ygtUbbkzmxA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kkvBbKkQqhX9ITwDvWDTCWY7DKJgE1IGREl2SDUMltIKRop5eCHQ6yeK+PVNzYsfAWi41oBoS0c11BPBPYxDmcUJeoqOXx3RlcJWqAJVjYAgCIx+PFnkv4MR/31BUHQSaUsppFSWACfyk+6mhfHELBiqxLiWVSKuwxu+eC+UUnI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id E2C0B20009; Mon, 5 Aug 2024 14:08:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 5/8] mesh: Fix possible integer overflow Date: Mon, 5 Aug 2024 16:06:43 +0200 Message-ID: <20240805140840.1606239-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important] bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits. bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off". bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)". 3176| 3177| /* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */ 3178|-> if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, 3179| msg->remote, 0, msg->segmented, 3180| msg->key_aid, msg->szmic, false, X --- mesh/net.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/mesh/net.c b/mesh/net.c index 05ca48326fc5..ef6a3133859a 100644 --- a/mesh/net.c +++ b/mesh/net.c @@ -3149,13 +3149,22 @@ static bool send_seg(struct mesh_net *net, uint8_t cnt, uint16_t interval, uint32_t seq_num; if (msg->segmented) { + if (msg->len < seg_off) { + l_error("Failed to build packet"); + return false; + } /* Send each segment on unique seq_num */ seq_num = mesh_net_next_seq_num(net); - if (msg->len - seg_off > SEG_OFF(1)) + if (msg->len - seg_off > SEG_OFF(1)) { seg_len = SEG_OFF(1); - else + } else { + if (msg->len - seg_off > UINT8_MAX) { + l_error("Failed to build packet"); + return false; + } seg_len = msg->len - seg_off; + } } else { /* Send on same seq_num used for Access Layer */ seq_num = msg->seqAuth; From patchwork Mon Aug 5 14:06:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753670 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0628B12C484 for ; Mon, 5 Aug 2024 14:08:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; cv=none; b=EKXPHI/zQU4bHbcyW/uwUy4U77sVUfd+FM/l+oRN9qPOkUY1RY4JM2O4aBWmf5Ddfp1Egl+pCbvhvHhDEE4NekCgTcIvX1WaJRKtKDjVw0R1TWqCurhseCno5x0RkR7uUNRtj7VeYqPFinlECQpqQ9I/yKawqqSkey1pwHVEU6k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; c=relaxed/simple; bh=yUneGDyBLidQe02OZmR7Mstv0imyNiw+9ggZirz2eHw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oFh9K9PNvrj741lzUytNZkz+bz67+Km4SZT5D1h/v2nG7JfyExpvxv+ucgZizXs+kOnjEMG3vZYdk5J1qhmF/7SJAUwgwzgwvuWXk+5Yaha6jLp4Fp5RQrOZWZZ3zvLcYvKB1c7sO6BB6JcoiH1K/cXCMvKtdaGR8RBZRgQ/SyE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 390362000D; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 6/8] shared/gatt-db: Fix possible buffer overrun Date: Mon, 5 Aug 2024 16:06:44 +0200 Message-ID: <20240805140840.1606239-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net uuid_to_le() returns one of the possible values from bt_uuid_len(). bt_uuid_len() returns "type / 8". type is a value between 0 and 128, but could be something else depending on the validity of the UUID that's parsed. So an invalid value of type between 128 and 256 would trigger an overrun. Add a check to make sure that an invalid type isn't used to calculate the length. Error: OVERRUN (CWE-119): [#def6] [important] bluez-5.77/src/shared/gatt-db.c:612:2: assignment: Assigning: "len" = "uuid_to_le(uuid, value)". The value of "len" is now between 0 and 31 (inclusive). bluez-5.77/src/shared/gatt-db.c:614:2: overrun-buffer-arg: Overrunning array "value" of 16 bytes by passing it to a function which accesses it at byte offset 30 using argument "len" (which evaluates to 31). 612| len = uuid_to_le(uuid, value); 613| 614|-> service->attributes[0] = new_attribute(service, handle, type, value, 615| len); 616| if (!service->attributes[0]) { --- src/shared/gatt-db.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c index b35763410d17..cd0eba6bf1d0 100644 --- a/src/shared/gatt-db.c +++ b/src/shared/gatt-db.c @@ -560,9 +560,14 @@ static int uuid_to_le(const bt_uuid_t *uuid, uint8_t *dst) return bt_uuid_len(uuid); } - bt_uuid_to_uuid128(uuid, &uuid128); - bswap_128(&uuid128.value.u128, dst); - return bt_uuid_len(&uuid128); + if (uuid->type == BT_UUID32 || + uuid->type == BT_UUID128) { + bt_uuid_to_uuid128(uuid, &uuid128); + bswap_128(&uuid128.value.u128, dst); + return bt_uuid_len(&uuid128); + } + + return 0; } static bool le_to_uuid(const uint8_t *src, size_t len, bt_uuid_t *uuid) From patchwork Mon Aug 5 14:06:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753668 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5DCA112D20D for ; Mon, 5 Aug 2024 14:08:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; cv=none; b=QOlHbz+rU4idMlVC/b+w978D2J+SkB2Mo52BdAKh9T62ixDyvXZDEO2V56SDvOXOnvU0wW39mhsSxDu/Ujity+tLai5VRforJe9NQT72Gu04liJyRAqTXAtuYuHqn3Y0Uwr4+pcLvpQOR4krF3RknT4TLTSmhAWXyMAxVrF5HEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; c=relaxed/simple; bh=0wqNcyaL74Bj6IpXL6qGatPX6UlTMhwbuxzp+0BeNmo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AFckHxRyfzgHUQKig9CNRRzHliJxb9Dt5Pd+2LyzssVhF0DajQKwwQeL8tMPUD9sUpKY0+Z/yawEX8xIrQYwP+ZW1UNNllzfp6CX5xionxx+V8VGV4sblHjmvBV8oPfcIl32WQrNX+9VcBZDgr32D3V18UKRAd1f2PQIbJrXU1I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 82ED52000F; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 7/8] shared/btsnoop: Avoid underflowing toread variable Date: Mon, 5 Aug 2024 16:06:45 +0200 Message-ID: <20240805140840.1606239-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def8] [important] bluez-5.77/src/shared/btsnoop.c:556:3: underflow: The decrement operator on the unsigned variable "toread" might result in an underflow. bluez-5.77/src/shared/btsnoop.c:572:2: overflow_sink: "toread", which might have underflowed, is passed to "read(btsnoop->fd, data, toread)". [Note: The source code implementation of the function has been overridden by a builtin model.] 570| } 571| 572|-> len = read(btsnoop->fd, data, toread); 573| if (len < 0) { 574| btsnoop->aborted = true; --- src/shared/btsnoop.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c index bc5f7fcbe84c..bb0bccf0dd01 100644 --- a/src/shared/btsnoop.c +++ b/src/shared/btsnoop.c @@ -530,7 +530,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv, } toread = be32toh(pkt.len); - if (toread > BTSNOOP_MAX_PACKET_SIZE) { + if (toread > BTSNOOP_MAX_PACKET_SIZE || toread < 1) { btsnoop->aborted = true; return false; } @@ -569,6 +569,11 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv, return false; } + if (toread == 0) { + btsnoop->aborted = true; + return false; + } + len = read(btsnoop->fd, data, toread); if (len < 0) { btsnoop->aborted = true; From patchwork Mon Aug 5 14:06:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13753669 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A5361384B3 for ; Mon, 5 Aug 2024 14:08:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; cv=none; b=UlgF5mgmpHYGOoCBJwog3QUUGbglOCIsOEe36XGdPLt15rScgjyDZ+Tz4uh6wNLDo4ZHMhxSd/mRMSGOce0H1EjJFo/shAia2yFuK2XC0/4USD4HXSPd0Rp/nKuxsVTGW7fj41MkWTr6pGe3bjespaWakaBR+sYYIjtFZg2lIkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; c=relaxed/simple; bh=FGFSVpnOlly3osBhem6Z4w168jLm3SJlQEX2KRzVZwM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KeORl5j/COK0yxZLbWfLpFKq0D8NoIIWdFCdMMT0dxtmPn4CN3z8ir6u7yAO3fdfNXBov2ZDtQ6YXZ2I8rAUjfNsvRtkZUpBiJIbEf+ViGFLdL+IIHjlFKP0eSXyLfZFKrURmh3PA7MNPuOhvoGxq6U3rtfrnRAUw07A4g6esRs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id CCB5D20010; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 8/8] monitor: Check for possible integer underflow Date: Mon, 5 Aug 2024 16:06:46 +0200 Message-ID: <20240805140840.1606239-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important] bluez-5.77/monitor/control.c:1094:2: tainted_data_return: Called function "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)", and a possible return value may be less than zero. bluez-5.77/monitor/control.c:1094:2: assign: Assigning: "len" = "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)". bluez-5.77/monitor/control.c:1099:2: overflow: The expression "data->offset" is considered to have possibly overflowed. bluez-5.77/monitor/control.c:1115:3: overflow: The expression "data->offset -= pktlen + 6" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/monitor/control.c:1118:4: overflow_sink: "data->offset", which might have underflowed, is passed to "memmove(data->buf, data->buf + 6 + pktlen, data->offset)". [Note: The source code implementation of the function has been overridden by a builtin model.] 1116| 1117| if (data->offset > 0) 1118|-> memmove(data->buf, data->buf + MGMT_HDR_SIZE + pktlen, 1119| data->offset); 1120| } --- monitor/control.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/monitor/control.c b/monitor/control.c index 009cf15209f0..62857b4b84de 100644 --- a/monitor/control.c +++ b/monitor/control.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -1091,9 +1092,14 @@ static void client_callback(int fd, uint32_t events, void *user_data) return; } + if (sizeof(data->buf) <= data->offset) + return; + len = recv(data->fd, data->buf + data->offset, sizeof(data->buf) - data->offset, MSG_DONTWAIT); - if (len < 0) + if (len < 0 || + len > UINT16_MAX || + UINT16_MAX - data->offset > len) return; data->offset += len;