* [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
@ 2022-12-12 13:08 Harshit Mogalapalli
2022-12-12 13:42 ` bluez.test.bot
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Harshit Mogalapalli @ 2022-12-12 13:08 UTC (permalink / raw)
Cc: harshit.m.mogalapalli, harshit.m.mogalapalli, error27,
darren.kenny, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Brian Gix, linux-bluetooth, netdev,
linux-kernel
Smatch Warning:
net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
'mesh_tx->param' too small (48 vs 50)
Analysis:
'mesh_tx->param' is array of size 48. This is the destination.
u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
But in the caller 'mesh_send' we reject only when len > 50.
len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This is based on static analysis, I am unsure if we should put
an upper bound to len(48) instead.
This limit on length changed between v4 and v5 patches of Commit:
("Bluetooth: Implement support for Mesh") in function mesh_send()
v4: https://lore.kernel.org/all/20220511155412.740249-2-brian.gix@intel.com/
v5: https://lore.kernel.org/all/20220720194511.320773-2-brian.gix@intel.com/
---
net/bluetooth/mgmt_util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 6a8b7e84293d..bdf978605d5a 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -27,7 +27,7 @@ struct mgmt_mesh_tx {
struct sock *sk;
u8 handle;
u8 instance;
- u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
+ u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
};
struct mgmt_pending_cmd {
--
2.38.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
2022-12-12 13:08 [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Harshit Mogalapalli
@ 2022-12-12 13:42 ` bluez.test.bot
2022-12-14 1:00 ` [PATCH] " Gix, Brian
2022-12-15 21:20 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2022-12-12 13:42 UTC (permalink / raw)
To: linux-bluetooth, harshit.m.mogalapalli
[-- Attachment #1: Type: text/plain, Size: 1365 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=703836
---Test result---
Test Summary:
CheckPatch PASS 0.56 seconds
GitLint PASS 0.27 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 31.00 seconds
CheckAllWarning PASS 34.14 seconds
CheckSparse PASS 39.21 seconds
BuildKernel32 PASS 29.85 seconds
TestRunnerSetup PASS 424.74 seconds
TestRunner_l2cap-tester PASS 15.64 seconds
TestRunner_iso-tester PASS 16.09 seconds
TestRunner_bnep-tester PASS 5.29 seconds
TestRunner_mgmt-tester PASS 103.67 seconds
TestRunner_rfcomm-tester PASS 9.11 seconds
TestRunner_sco-tester PASS 8.58 seconds
TestRunner_ioctl-tester PASS 9.71 seconds
TestRunner_mesh-tester PASS 6.62 seconds
TestRunner_smp-tester PASS 8.43 seconds
TestRunner_userchan-tester PASS 5.54 seconds
IncrementalBuild PASS 28.30 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
2022-12-12 13:08 [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Harshit Mogalapalli
2022-12-12 13:42 ` bluez.test.bot
@ 2022-12-14 1:00 ` Gix, Brian
2022-12-15 21:20 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: Gix, Brian @ 2022-12-14 1:00 UTC (permalink / raw)
To: harshit.m.mogalapalli@oracle.com
Cc: darren.kenny@oracle.com, davem@davemloft.net,
luiz.dentz@gmail.com, marcel@holtmann.org,
harshit.m.mogalapalli@gmail.com, linux-kernel@vger.kernel.org,
johan.hedberg@gmail.com, kuba@kernel.org, pabeni@redhat.com,
error27@gmail.com, edumazet@google.com,
linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org
Signed-off: brian.gix@intel.com
On Mon, 2022-12-12 at 05:08 -0800, Harshit Mogalapalli wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
>
> Analysis:
>
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
>
> But in the caller 'mesh_send' we reject only when len > 50.
> len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> ---
> This is based on static analysis, I am unsure if we should put
> an upper bound to len(48) instead.
>
> This limit on length changed between v4 and v5 patches of Commit:
> ("Bluetooth: Implement support for Mesh") in function mesh_send()
>
> v4:
> https://lore.kernel.org/all/20220511155412.740249-2-brian.gix@intel.com/
> v5:
> https://lore.kernel.org/all/20220720194511.320773-2-brian.gix@intel.com/
> ---
> net/bluetooth/mgmt_util.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
> index 6a8b7e84293d..bdf978605d5a 100644
> --- a/net/bluetooth/mgmt_util.h
> +++ b/net/bluetooth/mgmt_util.h
> @@ -27,7 +27,7 @@ struct mgmt_mesh_tx {
> struct sock *sk;
> u8 handle;
> u8 instance;
> - u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
> + u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
> };
>
> struct mgmt_pending_cmd {
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
2022-12-12 13:08 [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Harshit Mogalapalli
2022-12-12 13:42 ` bluez.test.bot
2022-12-14 1:00 ` [PATCH] " Gix, Brian
@ 2022-12-15 21:20 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2022-12-15 21:20 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: harshit.m.mogalapalli, error27, darren.kenny, marcel,
johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
brian.gix, linux-bluetooth, netdev, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 12 Dec 2022 05:08:28 -0800 you wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
>
> Analysis:
>
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
>
> [...]
Here is the summary with links:
- Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
https://git.kernel.org/bluetooth/bluetooth-next/c/becee9f3220c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-12-15 21:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-12 13:08 [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Harshit Mogalapalli
2022-12-12 13:42 ` bluez.test.bot
2022-12-14 1:00 ` [PATCH] " Gix, Brian
2022-12-15 21:20 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox