Re: [PATCH] net/bluetooth: Fix bound check in event handling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@01.org, Tomas Bortoli <tomasbortoli@gmail.com>
Cc: kbuild-all@01.org, marcel@holtmann.org, johan.hedberg@gmail.com,
	davem@davemloft.net, linux-bluetooth@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller@googlegroups.com,
	Tomas Bortoli <tomasbortoli@gmail.com>
Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling
Date: Mon, 4 Mar 2019 18:04:19 +0300	[thread overview]
Message-ID: <20190304150419.GC13452@kadam> (raw)
In-Reply-To: <20190228195939.30685-1-tomasbortoli@gmail.com>

Hi Tomas,

url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

smatch warnings:
net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)

# https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout 00305742c021794f147b348d45eb10ea26e5a514
vim +3986 net/bluetooth/hci_event.c

a9de9248 Marcel Holtmann 2007-10-20  3979  	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
138d22ef Szymon Janc     2011-02-17  3980  		struct inquiry_info_with_rssi_and_pscan_mode *info;
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

138d22ef Szymon Janc     2011-02-17  3981  		info = (void *) (skb->data + 1);
a9de9248 Marcel Holtmann 2007-10-20  3982  
e17acd40 Johan Hedberg   2011-03-30  3983  		for (; num_rsp; num_rsp--, info++) {
af58925c Marcel Holtmann 2014-07-01  3984  			u32 flags;
af58925c Marcel Holtmann 2014-07-01  3985  
00305742 Tomas Bortoli   2019-02-28 @3986  			if ((void *)(info + sizeof(info)) >
                                                                             ^^^^^^^^^^^^^^^^^^^
This is a pointer math bug.  The options to fix it are:

		if ((void *)info + sizeof(info) >

Or:
		if ((void *)(info + 1) >


00305742 Tomas Bortoli   2019-02-28  3987  			   (void *)(skb->data + skb->len))
00305742 Tomas Bortoli   2019-02-28  3988  				break;
00305742 Tomas Bortoli   2019-02-28  3989  
a9de9248 Marcel Holtmann 2007-10-20  3990  			bacpy(&data.bdaddr, &info->bdaddr);
a9de9248 Marcel Holtmann 2007-10-20  3991  			data.pscan_rep_mode	= info->pscan_rep_mode;
a9de9248 Marcel Holtmann 2007-10-20  3992  			data.pscan_period_mode	= info->pscan_period_mode;
a9de9248 Marcel Holtmann 2007-10-20  3993  			data.pscan_mode		= info->pscan_mode;
a9de9248 Marcel Holtmann 2007-10-20  3994  			memcpy(data.dev_class, info->dev_class, 3);
a9de9248 Marcel Holtmann 2007-10-20  3995  			data.clock_offset	= info->clock_offset;
a9de9248 Marcel Holtmann 2007-10-20  3996  			data.rssi		= info->rssi;
41a96212 Marcel Holtmann 2008-07-14  3997  			data.ssp_mode		= 0x00;
3175405b Johan Hedberg   2012-01-04  3998  

regards,
dan carpenter

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

next prev parent reply	other threads:[~2019-03-04 15:04 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-28 19:59 [PATCH] net/bluetooth: Fix bound check in event handling Tomas Bortoli
2019-03-02 16:46 ` Marcel Holtmann
2019-03-02 23:17   ` Tomas Bortoli
2019-03-04 15:04 ` Dan Carpenter [this message]
2019-03-04 19:58   ` Tomas Bortoli
2019-03-04 20:20 ` Tomas Bortoli
2019-03-30  7:17 ` Dan Carpenter
2019-03-30  8:23   ` [kbuild] " Dan Carpenter
2019-03-30 22:37   ` Tomas Bortoli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190304150419.GC13452@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=davem@davemloft.net \
    --cc=johan.hedberg@gmail.com \
    --cc=kbuild-all@01.org \
    --cc=kbuild@01.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=tomasbortoli@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.