| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Mar 2019 23:37:19 +0100
From: Tomas Bortoli <tomasbortoli@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>, kbuild@...org
Cc: kbuild-all@...org, marcel@...tmann.org, johan.hedberg@...il.com,
davem@...emloft.net, linux-bluetooth@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling
Hi Dan,
On 3/30/19 8:17 AM, Dan Carpenter wrote:
> [ This is an old warning. Sorry for missing it earlier. I would have
> caught it when the code was merged as well so there was no real risk
> but it's just awkward. ]
>
> Hi Tomas,
>
> url: https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
> base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
>
> smatch warnings:
> net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)
>
> # https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 00305742c021794f147b348d45eb10ea26e5a514
> vim +3986 net/bluetooth/hci_event.c
>
> 6039aa73 Gustavo Padovan 2012-05-23 3963 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
> 807deac2 Gustavo Padovan 2012-05-17 3964 struct sk_buff *skb)
> a9de9248 Marcel Holtmann 2007-10-20 3965 {
> a9de9248 Marcel Holtmann 2007-10-20 3966 struct inquiry_data data;
> a9de9248 Marcel Holtmann 2007-10-20 3967 int num_rsp = *((__u8 *) skb->data);
> a9de9248 Marcel Holtmann 2007-10-20 3968
> a9de9248 Marcel Holtmann 2007-10-20 3969 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
> a9de9248 Marcel Holtmann 2007-10-20 3970
> a9de9248 Marcel Holtmann 2007-10-20 3971 if (!num_rsp)
> a9de9248 Marcel Holtmann 2007-10-20 3972 return;
> a9de9248 Marcel Holtmann 2007-10-20 3973
> d7a5a11d Marcel Holtmann 2015-03-13 3974 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
> 1519cc17 Andre Guedes 2012-03-21 3975 return;
> 1519cc17 Andre Guedes 2012-03-21 3976
> a9de9248 Marcel Holtmann 2007-10-20 3977 hci_dev_lock(hdev);
> a9de9248 Marcel Holtmann 2007-10-20 3978
> a9de9248 Marcel Holtmann 2007-10-20 3979 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
> 138d22ef Szymon Janc 2011-02-17 3980 struct inquiry_info_with_rssi_and_pscan_mode *info;
> 138d22ef Szymon Janc 2011-02-17 3981 info = (void *) (skb->data + 1);
> a9de9248 Marcel Holtmann 2007-10-20 3982
> e17acd40 Johan Hedberg 2011-03-30 3983 for (; num_rsp; num_rsp--, info++) {
> af58925c Marcel Holtmann 2014-07-01 3984 u32 flags;
> af58925c Marcel Holtmann 2014-07-01 3985
> 00305742 Tomas Bortoli 2019-02-28 @3986 if ((void *)(info + sizeof(info)) >
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This should be (void *)info + sizeof(info). The code you have will
> break for valid uses because the pointer math error. I notice that
> this isn't merged into linux-next, but it does seem required. I am
> writing a similar fix for a different function.
>
> Another way to write this would be:
>
> if ((u8 *)(info + 1) > &skb->data[skb->len]) {
Yeah it hasn't been accepted afaik. Why just + 1 ? Also,
&skb->data[skb->len] is right after the last byte so the > should rather
be a >=, I think.
your code looks better (as per pointer casting) but is logically
different from what I proposed with v2:
https://lkml.org/lkml/2019/3/4/892
I think the bound check should validate that there is enough data from
the info pointer to read an entire struct
inquiry_info_with_rssi_and_pscan_mode.
Best regards,
Tomas
Powered by blists - more mailing lists