Bluetooth: Fix a buffer overflow in mgmt_mesh_add()

Message ID	20221212130828.988528-1-harshit.m.mogalapalli@oracle.com
State	Accepted
Commit	becee9f3220c20289163cdc0bc8583bd30965f62
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Cc: harshit.m.mogalapalli@oracle.com, harshit.m.mogalapalli@gmail.com, error27@gmail.com, darren.kenny@oracle.com, Marcel Holtmann <marcel@holtmann.org>, Johan Hedberg <johan.hedberg@gmail.com>, Luiz Augusto von Dentz <luiz.dentz@gmail.com>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Brian Gix <brian.gix@intel.com>, linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Date: Mon, 12 Dec 2022 05:08:28 -0800 Message-Id: <20221212130828.988528-1-harshit.m.mogalapalli@oracle.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Precedence: bulk
Series	Bluetooth: Fix a buffer overflow in mgmt_mesh_add() \| expand Bluetooth: Fix a buffer overflow in mgmt_mesh_add()

Message ID

20221212130828.988528-1-harshit.m.mogalapalli@oracle.com

State

Accepted

Commit

becee9f3220c20289163cdc0bc8583bd30965f62

Headers

From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Cc: harshit.m.mogalapalli@oracle.com, harshit.m.mogalapalli@gmail.com,
        error27@gmail.com, darren.kenny@oracle.com,
        Marcel Holtmann <marcel@holtmann.org>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Brian Gix <brian.gix@intel.com>,
        linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
Date: Mon, 12 Dec 2022 05:08:28 -0800
Message-Id: <20221212130828.988528-1-harshit.m.mogalapalli@oracle.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk

Series

Bluetooth: Fix a buffer overflow in mgmt_mesh_add() | expand

Commit Message

Harshit Mogalapalli Dec. 12, 2022, 1:08 p.m. UTC

Smatch Warning:
net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
'mesh_tx->param' too small (48 vs 50)

Analysis:

'mesh_tx->param' is array of size 48. This is the destination.
u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.

But in the caller 'mesh_send' we reject only when len > 50.
len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This is based on static analysis, I am unsure if we should put
an upper bound to len(48) instead.

This limit on length changed between v4 and v5 patches of Commit:
("Bluetooth: Implement support for Mesh") in function mesh_send()

v4: https://lore.kernel.org/all/20220511155412.740249-2-brian.gix@intel.com/
v5: https://lore.kernel.org/all/20220720194511.320773-2-brian.gix@intel.com/
---
 net/bluetooth/mgmt_util.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com Dec. 12, 2022, 1:42 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=703836

---Test result---

Test Summary:
CheckPatch                    PASS      0.56 seconds
GitLint                       PASS      0.27 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      31.00 seconds
CheckAllWarning               PASS      34.14 seconds
CheckSparse                   PASS      39.21 seconds
BuildKernel32                 PASS      29.85 seconds
TestRunnerSetup               PASS      424.74 seconds
TestRunner_l2cap-tester       PASS      15.64 seconds
TestRunner_iso-tester         PASS      16.09 seconds
TestRunner_bnep-tester        PASS      5.29 seconds
TestRunner_mgmt-tester        PASS      103.67 seconds
TestRunner_rfcomm-tester      PASS      9.11 seconds
TestRunner_sco-tester         PASS      8.58 seconds
TestRunner_ioctl-tester       PASS      9.71 seconds
TestRunner_mesh-tester        PASS      6.62 seconds
TestRunner_smp-tester         PASS      8.43 seconds
TestRunner_userchan-tester    PASS      5.54 seconds
IncrementalBuild              PASS      28.30 seconds



---
Regards,
Linux Bluetooth

Brian Gix Dec. 14, 2022, 1 a.m. UTC | #2

Signed-off: brian.gix@intel.com

On Mon, 2022-12-12 at 05:08 -0800, Harshit Mogalapalli wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
> 
> Analysis:
> 
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
> 
> But in the caller 'mesh_send' we reject only when len > 50.
> len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
> 
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> ---
> This is based on static analysis, I am unsure if we should put
> an upper bound to len(48) instead.
> 
> This limit on length changed between v4 and v5 patches of Commit:
> ("Bluetooth: Implement support for Mesh") in function mesh_send()
> 
> v4:
> https://lore.kernel.org/all/20220511155412.740249-2-brian.gix@intel.com/
> v5:
> https://lore.kernel.org/all/20220720194511.320773-2-brian.gix@intel.com/
> ---
>  net/bluetooth/mgmt_util.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
> index 6a8b7e84293d..bdf978605d5a 100644
> --- a/net/bluetooth/mgmt_util.h
> +++ b/net/bluetooth/mgmt_util.h
> @@ -27,7 +27,7 @@ struct mgmt_mesh_tx {
>         struct sock *sk;
>         u8 handle;
>         u8 instance;
> -       u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
> +       u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
>  };
>  
>  struct mgmt_pending_cmd {

patchwork-bot+bluetooth@kernel.org Dec. 15, 2022, 9:20 p.m. UTC | #3

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 12 Dec 2022 05:08:28 -0800 you wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
> 
> Analysis:
> 
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
> 
> [...]

Here is the summary with links:
  - Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
    https://git.kernel.org/bluetooth/bluetooth-next/c/becee9f3220c

You are awesome, thank you!

diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 6a8b7e84293d..bdf978605d5a 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -27,7 +27,7 @@  struct mgmt_mesh_tx {
 	struct sock *sk;
 	u8 handle;
 	u8 instance;
-	u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
+	u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
 };
 
 struct mgmt_pending_cmd {