lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 30 Mar 2019 11:23:10 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...org, Tomas Bortoli <tomasbortoli@...il.com>
Cc:     johan.hedberg@...il.com, netdev@...r.kernel.org,
        marcel@...tmann.org, linux-kernel@...r.kernel.org,
        linux-bluetooth@...r.kernel.org, syzkaller@...glegroups.com,
        kbuild-all@...org, davem@...emloft.net
Subject: Re: [kbuild] [PATCH] net/bluetooth: Fix bound check in event handling

On Sat, Mar 30, 2019 at 10:17:57AM +0300, Dan Carpenter wrote:
> [ This is an old warning.  Sorry for missing it earlier.  I would have
>   caught it when the code was merged as well so there was no real risk
>   but it's just awkward.  ]
> 
> Hi Tomas,
> 
> url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
> 
> smatch warnings:
> net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)
> 
> # https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 00305742c021794f147b348d45eb10ea26e5a514
> vim +3986 net/bluetooth/hci_event.c
> 
> 6039aa73 Gustavo Padovan 2012-05-23  3963  static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
> 807deac2 Gustavo Padovan 2012-05-17  3964  					     struct sk_buff *skb)
> a9de9248 Marcel Holtmann 2007-10-20  3965  {
> a9de9248 Marcel Holtmann 2007-10-20  3966  	struct inquiry_data data;
> a9de9248 Marcel Holtmann 2007-10-20  3967  	int num_rsp = *((__u8 *) skb->data);
> a9de9248 Marcel Holtmann 2007-10-20  3968  
> a9de9248 Marcel Holtmann 2007-10-20  3969  	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
> a9de9248 Marcel Holtmann 2007-10-20  3970  
> a9de9248 Marcel Holtmann 2007-10-20  3971  	if (!num_rsp)
> a9de9248 Marcel Holtmann 2007-10-20  3972  		return;
> a9de9248 Marcel Holtmann 2007-10-20  3973  
> d7a5a11d Marcel Holtmann 2015-03-13  3974  	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
> 1519cc17 Andre Guedes    2012-03-21  3975  		return;
> 1519cc17 Andre Guedes    2012-03-21  3976  
> a9de9248 Marcel Holtmann 2007-10-20  3977  	hci_dev_lock(hdev);
> a9de9248 Marcel Holtmann 2007-10-20  3978  
> a9de9248 Marcel Holtmann 2007-10-20  3979  	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
> 138d22ef Szymon Janc     2011-02-17  3980  		struct inquiry_info_with_rssi_and_pscan_mode *info;
> 138d22ef Szymon Janc     2011-02-17  3981  		info = (void *) (skb->data + 1);
> a9de9248 Marcel Holtmann 2007-10-20  3982  
> e17acd40 Johan Hedberg   2011-03-30  3983  		for (; num_rsp; num_rsp--, info++) {
> af58925c Marcel Holtmann 2014-07-01  3984  			u32 flags;
> af58925c Marcel Holtmann 2014-07-01  3985  
> 00305742 Tomas Bortoli   2019-02-28 @3986  			if ((void *)(info + sizeof(info)) >
>                                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This should be (void *)info + sizeof(info).  The code you have will
                                ^^^^^^^^^^^^
				sizeof(*info)
Sorry...

regards,
dan carpenter

Powered by blists - more mailing lists