Re: [PATCH] net/bluetooth: Fix bound check in event handling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@01.org, Tomas Bortoli <tomasbortoli@gmail.com>
Cc: kbuild-all@01.org, marcel@holtmann.org, johan.hedberg@gmail.com,
	davem@davemloft.net, linux-bluetooth@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller@googlegroups.com,
	Tomas Bortoli <tomasbortoli@gmail.com>
Subject: Re: [PATCH] net/bluetooth: Fix bound check in event handling
Date: Sat, 30 Mar 2019 10:17:57 +0300	[thread overview]
Message-ID: <20190330071757.GU32613@kadam> (raw)
In-Reply-To: <20190228195939.30685-1-tomasbortoli@gmail.com>

[ This is an old warning.  Sorry for missing it earlier.  I would have
  caught it when the code was merged as well so there was no real risk
  but it's just awkward.  ]

Hi Tomas,

url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

smatch warnings:
net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)

# https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout 00305742c021794f147b348d45eb10ea26e5a514
vim +3986 net/bluetooth/hci_event.c

6039aa73 Gustavo Padovan 2012-05-23  3963  static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
807deac2 Gustavo Padovan 2012-05-17  3964  					     struct sk_buff *skb)
a9de9248 Marcel Holtmann 2007-10-20  3965  {
a9de9248 Marcel Holtmann 2007-10-20  3966  	struct inquiry_data data;
a9de9248 Marcel Holtmann 2007-10-20  3967  	int num_rsp = *((__u8 *) skb->data);
a9de9248 Marcel Holtmann 2007-10-20  3968  
a9de9248 Marcel Holtmann 2007-10-20  3969  	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
a9de9248 Marcel Holtmann 2007-10-20  3970  
a9de9248 Marcel Holtmann 2007-10-20  3971  	if (!num_rsp)
a9de9248 Marcel Holtmann 2007-10-20  3972  		return;
a9de9248 Marcel Holtmann 2007-10-20  3973  
d7a5a11d Marcel Holtmann 2015-03-13  3974  	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
1519cc17 Andre Guedes    2012-03-21  3975  		return;
1519cc17 Andre Guedes    2012-03-21  3976  
a9de9248 Marcel Holtmann 2007-10-20  3977  	hci_dev_lock(hdev);
a9de9248 Marcel Holtmann 2007-10-20  3978  
a9de9248 Marcel Holtmann 2007-10-20  3979  	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
138d22ef Szymon Janc     2011-02-17  3980  		struct inquiry_info_with_rssi_and_pscan_mode *info;
138d22ef Szymon Janc     2011-02-17  3981  		info = (void *) (skb->data + 1);
a9de9248 Marcel Holtmann 2007-10-20  3982  
e17acd40 Johan Hedberg   2011-03-30  3983  		for (; num_rsp; num_rsp--, info++) {
af58925c Marcel Holtmann 2014-07-01  3984  			u32 flags;
af58925c Marcel Holtmann 2014-07-01  3985  
00305742 Tomas Bortoli   2019-02-28 @3986  			if ((void *)(info + sizeof(info)) >
                                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This should be (void *)info + sizeof(info).  The code you have will
break for valid uses because the pointer math error.  I notice that
this isn't merged into linux-next, but it does seem required.  I am
writing a similar fix for a different function.

Another way to write this would be:

		if ((u8 *)(info + 1) > &skb->data[skb->len]) {


00305742 Tomas Bortoli   2019-02-28  3987  			   (void *)(skb->data + skb->len))
00305742 Tomas Bortoli   2019-02-28  3988  				break;
00305742 Tomas Bortoli   2019-02-28  3989  
a9de9248 Marcel Holtmann 2007-10-20  3990  			bacpy(&data.bdaddr, &info->bdaddr);
a9de9248 Marcel Holtmann 2007-10-20  3991  			data.pscan_rep_mode	= info->pscan_rep_mode;
a9de9248 Marcel Holtmann 2007-10-20  3992  			data.pscan_period_mode	= info->pscan_period_mode;
a9de9248 Marcel Holtmann 2007-10-20  3993  			data.pscan_mode		= info->pscan_mode;
a9de9248 Marcel Holtmann 2007-10-20  3994  			memcpy(data.dev_class, info->dev_class, 3);
a9de9248 Marcel Holtmann 2007-10-20  3995  			data.clock_offset	= info->clock_offset;
a9de9248 Marcel Holtmann 2007-10-20  3996  			data.rssi		= info->rssi;
41a96212 Marcel Holtmann 2008-07-14  3997  			data.ssp_mode		= 0x00;
3175405b Johan Hedberg   2012-01-04  3998  
af58925c Marcel Holtmann 2014-07-01  3999  			flags = hci_inquiry_cache_update(hdev, &data, false);
af58925c Marcel Holtmann 2014-07-01  4000  
48264f06 Johan Hedberg   2011-11-09  4001  			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
e17acd40 Johan Hedberg   2011-03-30  4002  					  info->dev_class, info->rssi,
af58925c Marcel Holtmann 2014-07-01  4003  					  flags, NULL, 0, NULL, 0);
a9de9248 Marcel Holtmann 2007-10-20  4004  		}
a9de9248 Marcel Holtmann 2007-10-20  4005  	} else {

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

next prev parent reply	other threads:[~2019-03-30  7:18 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-28 19:59 [PATCH] net/bluetooth: Fix bound check in event handling Tomas Bortoli
2019-03-02 16:46 ` Marcel Holtmann
2019-03-02 23:17   ` Tomas Bortoli
2019-03-04 15:04 ` Dan Carpenter
2019-03-04 19:58   ` Tomas Bortoli
2019-03-04 20:20 ` Tomas Bortoli
2019-03-30  7:17 ` Dan Carpenter [this message]
2019-03-30  8:23   ` [kbuild] " Dan Carpenter
2019-03-30 22:37   ` Tomas Bortoli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190330071757.GU32613@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=davem@davemloft.net \
    --cc=johan.hedberg@gmail.com \
    --cc=kbuild-all@01.org \
    --cc=kbuild@01.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=tomasbortoli@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.