From patchwork Fri Apr 1 12:16:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1201C433F5 for ; Fri, 1 Apr 2022 12:16:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345800AbiDAMSn (ORCPT ); Fri, 1 Apr 2022 08:18:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235252AbiDAMSm (ORCPT ); Fri, 1 Apr 2022 08:18:42 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F7FF276FBE for ; Fri, 1 Apr 2022 05:16:52 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru DC58920D308E Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 1/6] monitor: Fix out-of-bound read in print_le_states Date: Fri, 1 Apr 2022 15:16:42 +0300 Message-ID: <20220401121647.3985682-2-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Accessing le_states_desc_table array with value 15 can cause out-of-bound read because current size of array is 14. Currently this cannot lead to any problems becase we do no have such state in le_states_comb_table but this could be changed in future and raise described problem. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- monitor/packet.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/monitor/packet.c b/monitor/packet.c index b7431b57d..1f04063d3 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -2816,7 +2816,8 @@ static const struct { static void print_le_states(const uint8_t *states_array) { uint64_t mask, states = 0; - int i, n; + int i = 0; + size_t n = 0; for (i = 0; i < 8; i++) states |= ((uint64_t) states_array[i]) << (i * 8); @@ -2828,12 +2829,12 @@ static void print_le_states(const uint8_t *states_array) for (i = 0; le_states_comb_table[i].states; i++) { uint64_t val = (((uint64_t) 1) << le_states_comb_table[i].bit); const char *str[3] = { NULL, }; - int num = 0; + size_t num = 0; if (!(states & val)) continue; - for (n = 0; n < 16; n++) { + for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) { if (le_states_comb_table[i].states & (1 << n)) str[num++] = le_states_desc_table[n].str; } From patchwork Fri Apr 1 12:16:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555628 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AF88C4332F for ; Fri, 1 Apr 2022 12:16:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345802AbiDAMSo (ORCPT ); Fri, 1 Apr 2022 08:18:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241747AbiDAMSn (ORCPT ); Fri, 1 Apr 2022 08:18:43 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9FB29277967 for ; Fri, 1 Apr 2022 05:16:52 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 1B75120D309E Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 2/6] tools: Fix buffer overflow in hciattach_tialt.c Date: Fri, 1 Apr 2022 15:16:43 +0300 Message-ID: <20220401121647.3985682-3-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should limit array access like in previous check at line 221. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/hciattach_tialt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/hciattach_tialt.c b/tools/hciattach_tialt.c index 520b383a1..4f7fd42a3 100644 --- a/tools/hciattach_tialt.c +++ b/tools/hciattach_tialt.c @@ -221,7 +221,8 @@ int texasalt_init(int fd, int speed, struct termios *ti) ((brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]), brf_chip); - sprintf(fw, "/etc/firmware/%s.bin", c_brf_chip[brf_chip]); + sprintf(fw, "/etc/firmware/%s.bin", + (brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]); texas_load_firmware(fd, fw); texas_change_speed(fd, speed); From patchwork Fri Apr 1 12:16:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0309C433EF for ; Fri, 1 Apr 2022 12:16:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344506AbiDAMSn (ORCPT ); Fri, 1 Apr 2022 08:18:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231462AbiDAMSm (ORCPT ); Fri, 1 Apr 2022 08:18:42 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BACC027796C for ; Fri, 1 Apr 2022 05:16:52 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 51EE420D30A9 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 3/6] tools: Fix signed integer overflow in btsnoop.c Date: Fri, 1 Apr 2022 15:16:44 +0300 Message-ID: <20220401121647.3985682-4-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org If malformed packet is proceed with zero 'size' field we will face with wrong behaviour of write() call. Value 'toread - 1' gives wrong sign for value 'written' (-1) in write() call. To prevent this we should check that 'toread' is not equal to zero. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/btsnoop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/btsnoop.c b/tools/btsnoop.c index 738027dfc..a0d6cf356 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -193,7 +193,7 @@ next_packet: flags = be32toh(input_pkt[select_input].flags); len = read(input_fd[select_input], buf, toread); - if (len < 0 || len != (ssize_t) toread) { + if (toread == 0 || len < 0 || len != (ssize_t) toread) { close(input_fd[select_input]); input_fd[select_input] = -1; goto next_packet; From patchwork Fri Apr 1 12:16:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4C03C43217 for ; Fri, 1 Apr 2022 12:16:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345807AbiDAMSq (ORCPT ); Fri, 1 Apr 2022 08:18:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231462AbiDAMSn (ORCPT ); Fri, 1 Apr 2022 08:18:43 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 146C527796E for ; Fri, 1 Apr 2022 05:16:53 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 7D18520D30AC Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 4/6] tools: Limit width of fields in sscanf Date: Fri, 1 Apr 2022 15:16:45 +0300 Message-ID: <20220401121647.3985682-5-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width of fields. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/btmgmt.c | 2 +- tools/hex2hcd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btmgmt.c b/tools/btmgmt.c index 42ef9acef..8f63f12ba 100644 --- a/tools/btmgmt.c +++ b/tools/btmgmt.c @@ -5164,7 +5164,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str) char pattern_str[62] = { 0 }; char tmp; - if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len, + if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len, &pattern->offset, &offset_end_pos, pattern_str) != 3) return false; diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c index 674d62744..e6dca5a81 100644 --- a/tools/hex2hcd.c +++ b/tools/hex2hcd.c @@ -248,7 +248,7 @@ static void ver_parse_file(const char *pathname) memset(ver, 0, sizeof(*ver)); - if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", + if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", ver->name, ver->major, ver->minor, ver->build, dummy1, dummy2) != 6) { printf("\t/* failed to parse %s */\n", pathname); From patchwork Fri Apr 1 12:16:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CFB3C433EF for ; Fri, 1 Apr 2022 12:16:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345805AbiDAMSp (ORCPT ); Fri, 1 Apr 2022 08:18:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344205AbiDAMSn (ORCPT ); Fri, 1 Apr 2022 08:18:43 -0400 Received: from mxout02.lancloud.ru (mxout02.lancloud.ru [45.84.86.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEF7F27796F for ; Fri, 1 Apr 2022 05:16:53 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout02.lancloud.ru C8D512307CD8 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 5/6] device: Limit width of fields in sscanf Date: Fri, 1 Apr 2022 15:16:46 +0300 Message-ID: <20220401121647.3985682-6-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In src/device.c few sscanf does not limit width of uuid field. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- src/device.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/device.c b/src/device.c index 381faf91c..8dc12d026 100644 --- a/src/device.c +++ b/src/device.c @@ -3790,8 +3790,8 @@ static int load_desc(char *handle, char *value, return -EIO; /* Check if there is any value stored, otherwise it is just the UUID */ - if (sscanf(value, "%04hx:%s", &val, uuid_str) != 2) { - if (sscanf(value, "%s", uuid_str) != 1) + if (sscanf(value, "%04hx:%36s", &val, uuid_str) != 2) { + if (sscanf(value, "%36s", uuid_str) != 1) return -EIO; val = 0; } @@ -3840,9 +3840,9 @@ static int load_chrc(char *handle, char *value, return -EIO; /* Check if there is any value stored */ - if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%s", + if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%36s", &value_handle, &properties, val_str, uuid_str) != 4) { - if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%s", + if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%36s", &value_handle, &properties, uuid_str) != 3) return -EIO; val_len = 0; @@ -3884,8 +3884,8 @@ static int load_incl(struct gatt_db *db, char *handle, char *value, if (sscanf(handle, "%04hx", &start) != 1) return -EIO; - if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%s", &start, &end, - uuid_str) != 3) + if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%36s", &start, + &end, uuid_str) != 3) return -EIO; /* Log debug message. */ @@ -3918,7 +3918,7 @@ static int load_service(struct gatt_db *db, char *handle, char *value) if (sscanf(handle, "%04hx", &start) != 1) return -EIO; - if (sscanf(value, "%[^:]:%04hx:%s", type, &end, uuid_str) != 3) + if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3) return -EIO; if (g_str_equal(type, GATT_PRIM_SVC_UUID_STR)) From patchwork Fri Apr 1 12:16:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18A41C433F5 for ; Fri, 1 Apr 2022 12:16:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345808AbiDAMSq (ORCPT ); Fri, 1 Apr 2022 08:18:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345804AbiDAMSp (ORCPT ); Fri, 1 Apr 2022 08:18:45 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A716448324 for ; Fri, 1 Apr 2022 05:16:55 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 0294820D30AF Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 6/6] gatt: Fix double free and freed memory dereference Date: Fri, 1 Apr 2022 15:16:47 +0300 Message-ID: <20220401121647.3985682-7-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org If device is no longer exists or not paired when notifications send it is possible to get double free and dereference of already freed memory. To avoid this we need to recheck the state of device after sending notification. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- src/gatt-database.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/gatt-database.c b/src/gatt-database.c index d6c94058c..d32f616a9 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database, send_notification_to_device(state, state->pending); + state = find_device_state(database, &bdaddr, bdaddr_type); + if (!state || !state->pending) + return; + free(state->pending->value); free(state->pending); state->pending = NULL;