[BlueZ,5/9] shared/mainloop: Fix integer overflow

Message ID	20240530150057.444585-6-hadess@hadess.net
State	New
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3BF0145A01 for <linux-bluetooth@vger.kernel.org>; Thu, 30 May 2024 15:01:00 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 5/9] shared/mainloop: Fix integer overflow Date: Thu, 30 May 2024 16:57:59 +0200 Message-ID: <20240530150057.444585-6-hadess@hadess.net> In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #3 \| expand [BlueZ,0/9] Fix a number of static analysis issues #3 [BlueZ,1/9] rctest: Fix possible overrun [BlueZ,2/9] mgmt-tester: Fix buffer overrun [BlueZ,3/9] l2test: Add missing error checking [BlueZ,4/9] rfkill: Avoid using a signed int for an unsigned variable [BlueZ,5/9] shared/mainloop: Fix integer overflow [BlueZ,6/9] sdp: Fix ineffective error guard [BlueZ,7/9] obexd: Fix buffer overrun [BlueZ,8/9] bap: Fix more memory leaks on error [BlueZ,9/9] avdtp: Fix manipulating struct as an array

Message ID

20240530150057.444585-6-hadess@hadess.net

State

New

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 5/9] shared/mainloop: Fix integer overflow
Date: Thu, 30 May 2024 16:57:59 +0200
Message-ID: <20240530150057.444585-6-hadess@hadess.net>
In-Reply-To: <20240530150057.444585-1-hadess@hadess.net>
References: <20240530150057.444585-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #3 | expand

Commit Message

Bastien Nocera May 30, 2024, 2:57 p.m. UTC

signalfd_siginfo uses a u32 for the signal number, but siginfo_t uses a
signed integer for it, so an (unlikely) big value for the signal number
could result in a negative value being passed to the callbacks. Catch
that and bail early.

Error: INTEGER_OVERFLOW (CWE-190): [#def44] [important]
bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted.
bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted.
bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number.
135|
136|	if (data && data->func)
137|->		data->func(si.ssi_signo, data->user_data);
138|
139|	return true;
---
 src/shared/mainloop-notify.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/shared/mainloop-notify.c b/src/shared/mainloop-notify.c
index 33be3cf8d78e..11989512e013 100644
--- a/src/shared/mainloop-notify.c
+++ b/src/shared/mainloop-notify.c
@@ -15,6 +15,7 @@ 
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <errno.h>
+#include <limits.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stddef.h>
@@ -130,7 +131,7 @@  static bool signal_read(struct io *io, void *user_data)
 	fd = io_get_fd(io);
 
 	result = read(fd, &si, sizeof(si));
-	if (result != sizeof(si))
+	if (result != sizeof(si) || si.ssi_signo > INT_MAX)
 		return false;
 
 	if (data && data->func)

[BlueZ,5/9] shared/mainloop: Fix integer overflow

Commit Message

Patch