| Message ID | 20231009203137.3125516-1-arnd@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2106574vqo;
Mon, 9 Oct 2023 13:32:13 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IEuD1/VCr/SmXlISBBWsG2T15nv1ZUlS/HM0r6+EggNTYzGSU8dBlri0Gbl56XZM+ovT5iB
X-Received: by 2002:a17:90a:9d82:b0:269:621e:a673 with SMTP id
k2-20020a17090a9d8200b00269621ea673mr13573215pjp.1.1696883533313;
Mon, 09 Oct 2023 13:32:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696883533; cv=none;
d=google.com; s=arc-20160816;
b=NukfpIK/n3jVj140Jz4cHudXKoGkOJTo82iTiHEW6pSXEW2IDK/DoZdKL5WdjNJeWy
6qrVP7bE6C4KzHfpxypTwCXVYpDwop8DYGGBv4JLAAP5pB0LkQ7F3+Dn11OsIN9+CV4Q
3opgZzFroiNuxiZoJrhla7Ldsw+hepZFv3rZxM6HnlMh2k/uAX1Uc4AbeX58QLUSD2sa
NVTMADO/hWveRhNjlOFiBbQXVl2qyY/I9p2qKVA7VaE0hChAL13NFYXSzhXe6tBX0Z5e
NZa9IrW1Euc22D1X6F08S5xmZj6VN3NU/Fms7OFIrV4iqkNgbh6ue/d1GjZper4BqvVS
PwAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=1rNU17Xll8mjG+B6sW8XQIvyiOlu47QD/vPME6Ib/5E=;
fh=EKUKKXBdrv3ehYXvgjU7fkP9sUJceWga4qkx9kg+yEc=;
b=L6qucUTaYFhrTsj5o0ZuoAyRt7G3O+iN75T6nQsRiSfUQ7a9THaoXh/GCOg6RyPmzz
4wrv+TJsZ8CuDTBgejAe3qYNpHwPp1Ml8BibWEwdkIpMq1mJ1zXyvCEp9XvqGgV8nJF7
+ZXqoDeCwSzP8oezsUt0Yrqiy5qU4clW8HSS2QIZvHTJTDzpL2iCRzsKfN3oKd1EBO7z
nc5B9FBHsXIZSN/NhLtu7wmRras31T7jBnFgsd57NKjbgEouZYrr7DHlFFroJulkZkmp
ZvhNFuf03jQKi6QxF85Bs/HfG90Hsho5Pyyo6yWVqoE8ZSBzB049d81AslpNagQfg1OG
15SQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=box2g981;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.33 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
by mx.google.com with ESMTPS id
a22-20020a17090abe1600b00275cffed966si11903460pjs.57.2023.10.09.13.32.12
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 09 Oct 2023 13:32:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=box2g981;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.33 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id 5CBE880330D5;
Mon, 9 Oct 2023 13:32:11 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1377819AbjJIUbp (ORCPT <rfc822;ezelljr.billy@gmail.com>
+ 18 others); Mon, 9 Oct 2023 16:31:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40564 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1346656AbjJIUbp (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 9 Oct 2023 16:31:45 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10D95BA;
Mon, 9 Oct 2023 13:31:44 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9BE88C433C8;
Mon, 9 Oct 2023 20:31:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1696883503;
bh=xaK2DMT9p8cdvjJ5eMYdV4mFYDZb/2yZjgUx3PDg2U4=;
h=From:To:Cc:Subject:Date:From;
b=box2g981w42aOfic7W3fkG/XekqUpb4n8/3IUFQZ/90A46ASXNrLJonm/21Fh7jon
YmP6417D/od5m4stjAkk7Ebq/hHf8rcbGDfHRttqYwR8Yo2s1aHAD5JIKZZCh4Aa2y
3345UqrKQW00s0+Qx8nKvt3SxY9K09IJhyOPCM/djK5wfN/YRsBI2g2ue0A0smfvON
cCkEZ1whXbkZwxExrFkMqcs2wUcy9XXHp4hSXpMYpZIMjDRNwTYS0luoL7zAUu2ztC
jaKOrxpIcyp/8MdawfbgkiD/mWFKKVXHqjvLfkDqzF+wbaz5i3sYOVcn9Fb/xWQg36
XJ384d3P4TIBg==
From: Arnd Bergmann <arnd@kernel.org>
To: Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
"Lee, Chun-Yi" <jlee@suse.com>
Cc: Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
stable@vger.kernel.org, Iulia Tanasescu <iulia.tanasescu@nxp.com>,
Pauli Virtanen <pav@iki.fi>, Jakub Kicinski <kuba@kernel.org>,
Claudia Draghicescu <claudia.rosu@nxp.com>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] [v2] Bluetooth: avoid memcmp() out of bounds warning
Date: Mon, 9 Oct 2023 22:31:31 +0200
Message-Id: <20231009203137.3125516-1-arnd@kernel.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Mon, 09 Oct 2023 13:32:11 -0700 (PDT)
X-Spam-Level: **
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779311347803332906
X-GMAIL-MSGID: 1779311347803332906
|
| Series |
[v2] Bluetooth: avoid memcmp() out of bounds warning
|
|
Commit Message
Arnd Bergmann
Oct. 9, 2023, 8:31 p.m. UTC
From: Arnd Bergmann <arnd@arndb.de> bacmp() is a wrapper around memcpy(), which contain compile-time checks for buffer overflow. Since the hci_conn_request_evt() also calls bt_dev_dbg() with an implicit NULL pointer check, the compiler is now aware of a case where 'hdev' is NULL and treats this as meaning that zero bytes are available: In file included from net/bluetooth/hci_event.c:32: In function 'bacmp', inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7: include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread] 364 | return memcmp(ba1, ba2, sizeof(bdaddr_t)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Add another NULL pointer check before the bacmp() to ensure the compiler understands the code flow enough to not warn about it. Since the patch that introduced the warning is marked for stable backports, this one should also go that way to avoid introducing build regressions. Fixes: d70e44fef8621 ("Bluetooth: Reject connection with the device which has same BD_ADDR") Cc: Kees Cook <keescook@chromium.org> Cc: "Lee, Chun-Yi" <jlee@suse.com> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- v2: rewrite completely --- net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, Oct 09, 2023 at 10:31:31PM +0200, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > bacmp() is a wrapper around memcpy(), which contain compile-time > checks for buffer overflow. Since the hci_conn_request_evt() also calls > bt_dev_dbg() with an implicit NULL pointer check, the compiler is now > aware of a case where 'hdev' is NULL and treats this as meaning that > zero bytes are available: > > In file included from net/bluetooth/hci_event.c:32: > In function 'bacmp', > inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7: > include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread] > 364 | return memcmp(ba1, ba2, sizeof(bdaddr_t)); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Add another NULL pointer check before the bacmp() to ensure the compiler > understands the code flow enough to not warn about it. Since the patch > that introduced the warning is marked for stable backports, this one > should also go that way to avoid introducing build regressions. > > Fixes: d70e44fef8621 ("Bluetooth: Reject connection with the device which has same BD_ADDR") > Cc: Kees Cook <keescook@chromium.org> > Cc: "Lee, Chun-Yi" <jlee@suse.com> > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Cc: Marcel Holtmann <marcel@holtmann.org> > Cc: stable@vger.kernel.org > Signed-off-by: Arnd Bergmann <arnd@arndb.de> A weird side-effect of the NULL check, but not unreasonable. :) Reviewed-by: Kees Cook <keescook@chromium.org>
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Mon, 9 Oct 2023 22:31:31 +0200 you wrote: > From: Arnd Bergmann <arnd@arndb.de> > > bacmp() is a wrapper around memcpy(), which contain compile-time > checks for buffer overflow. Since the hci_conn_request_evt() also calls > bt_dev_dbg() with an implicit NULL pointer check, the compiler is now > aware of a case where 'hdev' is NULL and treats this as meaning that > zero bytes are available: > > [...] Here is the summary with links: - [v2] Bluetooth: avoid memcmp() out of bounds warning https://git.kernel.org/bluetooth/bluetooth-next/c/b8ba8e65e84b You are awesome, thank you!
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 6f4409b4c3648..9b34c9f8ee02c 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3273,7 +3273,7 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, /* Reject incoming connection from device with same BD ADDR against * CVE-2020-26555 */ - if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) { + if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", &ev->bdaddr); hci_reject_conn(hdev, &ev->bdaddr);