| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Mar 2019 20:58:51 +0100
From: Tomas Bortoli <tomasbortoli@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>, kbuild@...org
Cc: kbuild-all@...org, marcel@...tmann.org, johan.hedberg@...il.com,
davem@...emloft.net, linux-bluetooth@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling
Hi Dan,
On 3/4/19 4:04 PM, Dan Carpenter wrote:
> Hi Tomas,
>
> url: https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
> base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
>
> smatch warnings:
> net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)
>
> # https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 00305742c021794f147b348d45eb10ea26e5a514
> vim +3986 net/bluetooth/hci_event.c
>
> a9de9248 Marcel Holtmann 2007-10-20 3979 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
> 138d22ef Szymon Janc 2011-02-17 3980 struct inquiry_info_with_rssi_and_pscan_mode *info;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 138d22ef Szymon Janc 2011-02-17 3981 info = (void *) (skb->data + 1);
> a9de9248 Marcel Holtmann 2007-10-20 3982
> e17acd40 Johan Hedberg 2011-03-30 3983 for (; num_rsp; num_rsp--, info++) {
> af58925c Marcel Holtmann 2014-07-01 3984 u32 flags;
> af58925c Marcel Holtmann 2014-07-01 3985
> 00305742 Tomas Bortoli 2019-02-28 @3986 if ((void *)(info + sizeof(info)) >
> ^^^^^^^^^^^^^^^^^^^
> This is a pointer math bug. The options to fix it are:
>
> if ((void *)info + sizeof(info) >
Yes, also sizeof(info) should be sizeof(*info)..
>
> Or:
> if ((void *)(info + 1) >
>
>
> 00305742 Tomas Bortoli 2019-02-28 3987 (void *)(skb->data + skb->len))
> 00305742 Tomas Bortoli 2019-02-28 3988 break;
> 00305742 Tomas Bortoli 2019-02-28 3989
> a9de9248 Marcel Holtmann 2007-10-20 3990 bacpy(&data.bdaddr, &info->bdaddr);
> a9de9248 Marcel Holtmann 2007-10-20 3991 data.pscan_rep_mode = info->pscan_rep_mode;
> a9de9248 Marcel Holtmann 2007-10-20 3992 data.pscan_period_mode = info->pscan_period_mode;
> a9de9248 Marcel Holtmann 2007-10-20 3993 data.pscan_mode = info->pscan_mode;
> a9de9248 Marcel Holtmann 2007-10-20 3994 memcpy(data.dev_class, info->dev_class, 3);
> a9de9248 Marcel Holtmann 2007-10-20 3995 data.clock_offset = info->clock_offset;
> a9de9248 Marcel Holtmann 2007-10-20 3996 data.rssi = info->rssi;
> 41a96212 Marcel Holtmann 2008-07-14 3997 data.ssp_mode = 0x00;
> 3175405b Johan Hedberg 2012-01-04 3998
>
> regards,
> dan carpenter
>
> ---
> 0-DAY kernel test infrastructure Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all Intel Corporation
>
regards,
Tomas
Powered by blists - more mailing lists