From patchwork Mon Aug 5 14:06:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 816837 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFD067D40D for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=mOnhL8S7y9e0KJ5qMC+E+JO8+yedlwtfateg8ZtDQ8Uw3RSA5DWWFXa2gclneI7sF2FBYaC//v7AKalpxzZteOYtlL8ms3JA+NyY/dMIugtK/bRdBQWsPX/qiRtIunQifYjR+5J4a7YaPHA1Za5K/6Ir1k4X2AF9VcboV12M1U0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=BdTQ8LZ6jZWoM+L9qDs8wG+nWa8UVCk+Cx+c7JD4cA8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Up3gDZPv2yU1OWj3qAUPtA9bWe53ulQNoLqkxU1aJcPq90uqa0GIdi57j0hX7cP+UWK5t9ghBMsDANrGKIucvg1LYso/0nTvWx6RW4epmO2KtYVI9Q2FuhwYHzCFG8SGmfcP5T9xCg0BEKLkRk9Jtsbz+Ml4BHPpckmAiUcjojs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 0653920005; Mon, 5 Aug 2024 14:08:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 2/8] tools/isotest: Ensure ret doesn't overflow Date: Mon, 5 Aug 2024 16:06:40 +0200 Message-ID: <20240805140840.1606239-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def20] [important] bluez-5.77/tools/isotest.c:778:2: tainted_data_argument: The check "ret < count" contains the tainted expression "ret" which causes "count" to be considered tainted. bluez-5.77/tools/isotest.c:779:3: overflow: The expression "count - ret" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/tools/isotest.c:779:3: overflow_sink: "count - ret", which might have underflowed, is passed to "read(fd, buf + ret, count - ret)". [Note: The source code implementation of the function has been overridden by a builtin model.] 777| 778| while (ret < count) { 779|-> len = read(fd, buf + ret, count - ret); 780| if (len < 0) 781| return -errno; --- tools/isotest.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/isotest.c b/tools/isotest.c index 2cac0e49cc39..0805faa66e47 100644 --- a/tools/isotest.c +++ b/tools/isotest.c @@ -779,6 +779,8 @@ static int read_stream(int fd, ssize_t count) len = read(fd, buf + ret, count - ret); if (len < 0) return -errno; + if (len > SSIZE_MAX - ret) + return -EOVERFLOW; ret += len; usleep(1000); From patchwork Mon Aug 5 14:06:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 816839 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF70280631 for ; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866925; cv=none; b=IYyuF7o2DiisaOo0+uSSnvE81IEK58j5ENmWk0izCbZdKKd2GYno8b1wLALJp5TD1q0KY5pyDhou2S9hEJC/Pl7Uf7hnESsYuwU0hsJTpZQQKjTSbRZMLwhSxoJKQ8/ve1Dkl6hRBasD3XAUh4bQHXjH+HA7KXXbAt6gQ7Ydb0I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866925; c=relaxed/simple; bh=zK5PstR/J/SNhgoa834rHpP4N7yToufuA0WG/vN4QLY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G4EHgvkmVVQ68RjtCXbS0DYNGxw41aW+BvIc0tyR0Yupl+78mj1+gMBTsgbafZvMDjAQ6YFpvDD0Cw+HBk5yksDVErFUlIKWCPDR76UT1DJe0y/mxGq8SAf3WTMfOjleS43A31F4yMwzV+e0DQtzNH5B2j3UcTgOUonacPUHDwc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 57BD420007; Mon, 5 Aug 2024 14:08:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 3/8] health: mcap: Ensure sent doesn't overflow Date: Mon, 5 Aug 2024 16:06:41 +0200 Message-ID: <20240805140840.1606239-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def13] [important] bluez-5.77/profiles/health/mcap.c:390:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted. bluez-5.77/profiles/health/mcap.c:391:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/profiles/health/mcap.c:391:3: overflow_sink: "size - sent", which might have underflowed, is passed to "write(sock, buf_b + sent, size - sent)". 389| 390| while (sent < size) { 391|-> int n = write(sock, buf_b + sent, size - sent); 392| if (n < 0) 393| return -1; --- profiles/health/mcap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c index 2e4214a6984f..b3bf403e74d2 100644 --- a/profiles/health/mcap.c +++ b/profiles/health/mcap.c @@ -389,7 +389,7 @@ int mcap_send_data(int sock, const void *buf, uint32_t size) while (sent < size) { int n = write(sock, buf_b + sent, size - sent); - if (n < 0) + if (n < 0 || n > SSIZE_MAX - sent) return -1; sent += n; } From patchwork Mon Aug 5 14:06:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 816838 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AE53811E2 for ; Mon, 5 Aug 2024 14:08:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; cv=none; b=gcV4W70F4k5x1xoXWfD8jZedj3fEBnW2giE7HM0aePxSo+/DDW/K9QSpFtVE9qZiTlzzwupPwWlNQU5gfoUj5TAbIaCksv4j50eHSVnzvFFNdYJd2NHOR32eDrOovWxOwfZYTFnprX7Y4yHde8aDgoytSMf/BsVRJ4etHHxNVVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866926; c=relaxed/simple; bh=6JFpXQZQ2Yvc8eAxLEiavBKVbaEu54L4ygtUbbkzmxA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kkvBbKkQqhX9ITwDvWDTCWY7DKJgE1IGREl2SDUMltIKRop5eCHQ6yeK+PVNzYsfAWi41oBoS0c11BPBPYxDmcUJeoqOXx3RlcJWqAJVjYAgCIx+PFnkv4MR/31BUHQSaUsppFSWACfyk+6mhfHELBiqxLiWVSKuwxu+eC+UUnI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id E2C0B20009; Mon, 5 Aug 2024 14:08:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 5/8] mesh: Fix possible integer overflow Date: Mon, 5 Aug 2024 16:06:43 +0200 Message-ID: <20240805140840.1606239-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important] bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits. bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off". bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)". 3176| 3177| /* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */ 3178|-> if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, 3179| msg->remote, 0, msg->segmented, 3180| msg->key_aid, msg->szmic, false, X --- mesh/net.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/mesh/net.c b/mesh/net.c index 05ca48326fc5..ef6a3133859a 100644 --- a/mesh/net.c +++ b/mesh/net.c @@ -3149,13 +3149,22 @@ static bool send_seg(struct mesh_net *net, uint8_t cnt, uint16_t interval, uint32_t seq_num; if (msg->segmented) { + if (msg->len < seg_off) { + l_error("Failed to build packet"); + return false; + } /* Send each segment on unique seq_num */ seq_num = mesh_net_next_seq_num(net); - if (msg->len - seg_off > SEG_OFF(1)) + if (msg->len - seg_off > SEG_OFF(1)) { seg_len = SEG_OFF(1); - else + } else { + if (msg->len - seg_off > UINT8_MAX) { + l_error("Failed to build packet"); + return false; + } seg_len = msg->len - seg_off; + } } else { /* Send on same seq_num used for Access Layer */ seq_num = msg->seqAuth; From patchwork Mon Aug 5 14:06:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 816836 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A5361384B3 for ; Mon, 5 Aug 2024 14:08:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; cv=none; b=UlgF5mgmpHYGOoCBJwog3QUUGbglOCIsOEe36XGdPLt15rScgjyDZ+Tz4uh6wNLDo4ZHMhxSd/mRMSGOce0H1EjJFo/shAia2yFuK2XC0/4USD4HXSPd0Rp/nKuxsVTGW7fj41MkWTr6pGe3bjespaWakaBR+sYYIjtFZg2lIkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722866927; c=relaxed/simple; bh=FGFSVpnOlly3osBhem6Z4w168jLm3SJlQEX2KRzVZwM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KeORl5j/COK0yxZLbWfLpFKq0D8NoIIWdFCdMMT0dxtmPn4CN3z8ir6u7yAO3fdfNXBov2ZDtQ6YXZ2I8rAUjfNsvRtkZUpBiJIbEf+ViGFLdL+IIHjlFKP0eSXyLfZFKrURmh3PA7MNPuOhvoGxq6U3rtfrnRAUw07A4g6esRs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id CCB5D20010; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 8/8] monitor: Check for possible integer underflow Date: Mon, 5 Aug 2024 16:06:46 +0200 Message-ID: <20240805140840.1606239-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important] bluez-5.77/monitor/control.c:1094:2: tainted_data_return: Called function "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)", and a possible return value may be less than zero. bluez-5.77/monitor/control.c:1094:2: assign: Assigning: "len" = "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)". bluez-5.77/monitor/control.c:1099:2: overflow: The expression "data->offset" is considered to have possibly overflowed. bluez-5.77/monitor/control.c:1115:3: overflow: The expression "data->offset -= pktlen + 6" is deemed overflowed because at least one of its arguments has overflowed. bluez-5.77/monitor/control.c:1118:4: overflow_sink: "data->offset", which might have underflowed, is passed to "memmove(data->buf, data->buf + 6 + pktlen, data->offset)". [Note: The source code implementation of the function has been overridden by a builtin model.] 1116| 1117| if (data->offset > 0) 1118|-> memmove(data->buf, data->buf + MGMT_HDR_SIZE + pktlen, 1119| data->offset); 1120| } --- monitor/control.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/monitor/control.c b/monitor/control.c index 009cf15209f0..62857b4b84de 100644 --- a/monitor/control.c +++ b/monitor/control.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -1091,9 +1092,14 @@ static void client_callback(int fd, uint32_t events, void *user_data) return; } + if (sizeof(data->buf) <= data->offset) + return; + len = recv(data->fd, data->buf + data->offset, sizeof(data->buf) - data->offset, MSG_DONTWAIT); - if (len < 0) + if (len < 0 || + len > UINT16_MAX || + UINT16_MAX - data->offset > len) return; data->offset += len;