Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
xen.11319
CVE-2018-19665-qemuu-Integer-overflow-in-Blueto...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-19665-qemuu-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen.11319
The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Reported-by: Arash TC <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- bt-host.c | 6 ++--- bt-vhci.c | 4 +-- hw/bt/core.c | 2 +- hw/bt/hci-csr.c | 16 ++++++------ hw/bt/hci.c | 38 ++++++++++++++-------------- hw/bt/hid.c | 8 +++--- hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- hw/bt/sdp.c | 6 ++--- hw/usb/dev-bluetooth.c | 6 ++--- include/hw/bt.h | 8 +++--- include/sysemu/bt.h | 10 ++++---- 11 files changed, 81 insertions(+), 79 deletions(-) This change is similar to -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-host.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/bt-host.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-host.c @@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo } } -static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_COMMAND_PKT, data, len); } -static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_ACLDATA_PKT, data, len); } -static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_SCODATA_PKT, data, len); } Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-vhci.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/bt-vhci.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-vhci.c @@ -124,13 +124,13 @@ static void vhci_host_send(void *opaque, } static void vhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_EVENT_PKT, data, len); } static void vhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len); } Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/core.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/core.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/core.c @@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_mast } static void bt_dummy_lmp_acl_resp(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { fprintf(stderr, "%s: stray ACL response PDU, fixme\n", __FUNCTION__); exit(-1); Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c @@ -91,7 +91,7 @@ static inline void csrhci_fifo_wake(stru } #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len) -static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len) +static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len) { int off = s->out_start + s->out_len; @@ -100,14 +100,14 @@ static uint8_t *csrhci_out_packet(struct if (off < FIFO_LEN) { if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len); exit(-1); } return s->outfifo + off; } if (s->out_len > s->out_size) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len); exit(-1); } @@ -115,7 +115,7 @@ static uint8_t *csrhci_out_packet(struct } static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s, - int type, int len) + int type, size_t len) { uint8_t *ret = csrhci_out_packetz(s, len + 2); @@ -126,7 +126,7 @@ static inline uint8_t *csrhci_out_packet } static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s, - int evt, int len) + int evt, size_t len) { uint8_t *ret = csrhci_out_packetz(s, len + 1 + sizeof(struct hci_event_hdr)); @@ -139,7 +139,7 @@ static inline uint8_t *csrhci_out_packet } static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf, - uint8_t *data, int len) + uint8_t *data, size_t len) { int offset; uint8_t *rpkt; @@ -329,7 +329,7 @@ static size_t csrhci_write(struct CharDr } static void csrhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s = (struct csrhci_s *) opaque; uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */ @@ -341,7 +341,7 @@ static void csrhci_out_hci_packet_event( } static void csrhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s = (struct csrhci_s *) opaque; uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */ Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c @@ -26,7 +26,7 @@ struct bt_hci_s { uint8_t *(*evt_packet)(void *opaque); - void (*evt_submit)(void *opaque, int len); + void (*evt_submit)(void *opaque, size_t len); void *opaque; uint8_t evt_buf[256]; @@ -56,7 +56,7 @@ struct bt_hci_s { struct bt_hci_master_link_s { struct bt_link_s *link; void (*lmp_acl_data)(struct bt_link_s *link, - const uint8_t *data, int start, int len); + const uint8_t *data, int start, size_t len); QEMUTimer *acl_mode_timer; } handle[HCI_HANDLES_MAX]; uint32_t role_bmp; @@ -430,13 +430,13 @@ static const uint8_t bt_event_reserved_m }; static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci, - int evt, int len) + int evt, size_t len) { uint8_t *packet, mask; int mask_byte; if (len > 255) { - fprintf(stderr, "%s: HCI event params too long (%ib)\n", + fprintf(stderr, "%s: HCI event params too long (%zub)\n", __FUNCTION__, len); exit(-1); } @@ -454,7 +454,7 @@ static inline uint8_t *bt_hci_event_star } static inline void bt_hci_event(struct bt_hci_s *hci, int evt, - void *params, int len) + void *params, size_t len) { uint8_t *packet = bt_hci_event_start(hci, evt, len); @@ -479,7 +479,7 @@ static inline void bt_hci_event_status(s } static inline void bt_hci_event_complete(struct bt_hci_s *hci, - void *ret, int len) + void *ret, size_t len) { uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE, len + EVT_CMD_COMPLETE_SIZE); @@ -1457,7 +1457,7 @@ static inline void bt_hci_event_num_comp } static void bt_submit_hci(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); uint16_t cmd; @@ -1952,7 +1952,7 @@ static void bt_submit_hci(struct HCIInfo break; short_hci: - fprintf(stderr, "%s: HCI packet too short (%iB)\n", + fprintf(stderr, "%s: HCI packet too short (%zuB)\n", __FUNCTION__, length); bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); break; @@ -1964,7 +1964,7 @@ static void bt_submit_hci(struct HCIInfo * know that a packet contained the last fragment of the SDU when the next * SDU starts. */ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct hci_acl_hdr *pkt = (void *) hci->acl_buf; @@ -1972,7 +1972,7 @@ static inline void bt_hci_lmp_acl_data(s /* TODO: avoid memcpy'ing */ if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) { - fprintf(stderr, "%s: can't take ACL packets %i bytes long\n", + fprintf(stderr, "%s: can't take ACL packets %zu bytes long\n", __FUNCTION__, len); return; } @@ -1986,7 +1986,7 @@ static inline void bt_hci_lmp_acl_data(s } static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink; @@ -1995,14 +1995,14 @@ static void bt_hci_lmp_acl_data_slave(st } static void bt_hci_lmp_acl_data_host(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { bt_hci_lmp_acl_data(hci_from_device(link->host), link->handle, data, start, len); } static void bt_submit_acl(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); uint16_t handle; @@ -2010,7 +2010,7 @@ static void bt_submit_acl(struct HCIInfo struct bt_link_s *link; if (length < HCI_ACL_HDR_SIZE) { - fprintf(stderr, "%s: ACL packet too short (%iB)\n", + fprintf(stderr, "%s: ACL packet too short (%zuB)\n", __FUNCTION__, length); return; } @@ -2030,7 +2030,7 @@ static void bt_submit_acl(struct HCIInfo handle &= ~HCI_HANDLE_OFFSET; if (datalen > length) { - fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n", + fprintf(stderr, "%s: ACL packet too short (%zuB < %iB)\n", __FUNCTION__, length, datalen); return; } @@ -2072,7 +2072,7 @@ static void bt_submit_acl(struct HCIInfo } static void bt_submit_sco(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); uint16_t handle; @@ -2092,7 +2092,7 @@ static void bt_submit_sco(struct HCIInfo } if (datalen > length) { - fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n", + fprintf(stderr, "%s: SCO packet too short (%zuB < %iB)\n", __FUNCTION__, length, datalen); return; } @@ -2113,7 +2113,7 @@ static uint8_t *bt_hci_evt_packet(void * return s->evt_buf; } -static void bt_hci_evt_submit(void *opaque, int len) +static void bt_hci_evt_submit(void *opaque, size_t len) { /* TODO: notify upper layer */ struct bt_hci_s *s = opaque; Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hid.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c @@ -168,7 +168,7 @@ static void bt_hid_disconnect(struct bt_ } static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t *pkt, hdr = (BT_DATA << 4) | type; int plen; @@ -189,7 +189,7 @@ static void bt_hid_send_data(struct bt_l } static void bt_hid_control_transaction(struct bt_hid_device_s *s, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t type, parameter; int rlen, ret = -1; @@ -361,7 +361,7 @@ static void bt_hid_control_transaction(s bt_hid_send_handshake(s, ret); } -static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len) +static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len) { struct bt_hid_device_s *hid = opaque; @@ -387,7 +387,7 @@ static void bt_hid_datain(HIDState *hs) hid->datain.buffer, hid->datain.len); } -static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len) +static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len) { struct bt_hid_device_s *hid = opaque; Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/vl.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/vl.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/vl.c @@ -866,7 +866,7 @@ static struct bt_scatternet_s *qemu_find return &vlan->net; } -static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len) +static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len) { }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
