File CVE-2018-19665-qemuu-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen.11298
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Reported-by: Arash TC <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
bt-host.c | 6 ++---
bt-vhci.c | 4 +--
hw/bt/core.c | 2 +-
hw/bt/hci-csr.c | 16 ++++++------
hw/bt/hci.c | 38 ++++++++++++++--------------
hw/bt/hid.c | 8 +++---
hw/bt/l2cap.c | 56 ++++++++++++++++++++++--------------------
hw/bt/sdp.c | 6 ++---
hw/usb/dev-bluetooth.c | 6 ++---
include/hw/bt.h | 8 +++---
include/sysemu/bt.h | 10 ++++----
11 files changed, 81 insertions(+), 79 deletions(-)
This change is similar to
-> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/bt-host.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/bt-host.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/bt-host.c
@@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo
}
}
-static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_COMMAND_PKT, data, len);
}
-static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_ACLDATA_PKT, data, len);
}
-static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_SCODATA_PKT, data, len);
}
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/bt-vhci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/bt-vhci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/bt-vhci.c
@@ -124,13 +124,13 @@ static void vhci_host_send(void *opaque,
}
static void vhci_out_hci_packet_event(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
vhci_host_send(opaque, HCI_EVENT_PKT, data, len);
}
static void vhci_out_hci_packet_acl(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len);
}
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/core.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/bt/core.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/core.c
@@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_mast
}
static void bt_dummy_lmp_acl_resp(struct bt_link_s *link,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
fprintf(stderr, "%s: stray ACL response PDU, fixme\n", __FUNCTION__);
exit(-1);
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
@@ -91,7 +91,7 @@ static inline void csrhci_fifo_wake(stru
}
#define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len)
-static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len)
{
int off = s->out_start + s->out_len;
@@ -100,14 +100,14 @@ static uint8_t *csrhci_out_packet(struct
if (off < FIFO_LEN) {
if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) {
- fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+ fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
exit(-1);
}
return s->outfifo + off;
}
if (s->out_len > s->out_size) {
- fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+ fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
exit(-1);
}
@@ -115,7 +115,7 @@ static uint8_t *csrhci_out_packet(struct
}
static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
- int type, int len)
+ int type, size_t len)
{
uint8_t *ret = csrhci_out_packetz(s, len + 2);
@@ -126,7 +126,7 @@ static inline uint8_t *csrhci_out_packet
}
static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s,
- int evt, int len)
+ int evt, size_t len)
{
uint8_t *ret = csrhci_out_packetz(s,
len + 1 + sizeof(struct hci_event_hdr));
@@ -139,7 +139,7 @@ static inline uint8_t *csrhci_out_packet
}
static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf,
- uint8_t *data, int len)
+ uint8_t *data, size_t len)
{
int offset;
uint8_t *rpkt;
@@ -329,7 +329,7 @@ static size_t csrhci_write(struct CharDr
}
static void csrhci_out_hci_packet_event(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
struct csrhci_s *s = (struct csrhci_s *) opaque;
uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */
@@ -341,7 +341,7 @@ static void csrhci_out_hci_packet_event(
}
static void csrhci_out_hci_packet_acl(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
struct csrhci_s *s = (struct csrhci_s *) opaque;
uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c
@@ -26,7 +26,7 @@
struct bt_hci_s {
uint8_t *(*evt_packet)(void *opaque);
- void (*evt_submit)(void *opaque, int len);
+ void (*evt_submit)(void *opaque, size_t len);
void *opaque;
uint8_t evt_buf[256];
@@ -56,7 +56,7 @@ struct bt_hci_s {
struct bt_hci_master_link_s {
struct bt_link_s *link;
void (*lmp_acl_data)(struct bt_link_s *link,
- const uint8_t *data, int start, int len);
+ const uint8_t *data, int start, size_t len);
QEMUTimer *acl_mode_timer;
} handle[HCI_HANDLES_MAX];
uint32_t role_bmp;
@@ -430,7 +430,7 @@ static const uint8_t bt_event_reserved_m
};
-static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
+static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
}
@@ -448,13 +448,13 @@ struct HCIInfo null_hci = {
static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
- int evt, int len)
+ int evt, size_t len)
{
uint8_t *packet, mask;
int mask_byte;
if (len > 255) {
- fprintf(stderr, "%s: HCI event params too long (%ib)\n",
+ fprintf(stderr, "%s: HCI event params too long (%zub)\n",
__FUNCTION__, len);
exit(-1);
}
@@ -472,7 +472,7 @@ static inline uint8_t *bt_hci_event_star
}
static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
- void *params, int len)
+ void *params, size_t len)
{
uint8_t *packet = bt_hci_event_start(hci, evt, len);
@@ -497,7 +497,7 @@ static inline void bt_hci_event_status(s
}
static inline void bt_hci_event_complete(struct bt_hci_s *hci,
- void *ret, int len)
+ void *ret, size_t len)
{
uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
len + EVT_CMD_COMPLETE_SIZE);
@@ -1475,7 +1475,7 @@ static inline void bt_hci_event_num_comp
}
static void bt_submit_hci(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
uint16_t cmd;
@@ -1970,7 +1970,7 @@ static void bt_submit_hci(struct HCIInfo
break;
short_hci:
- fprintf(stderr, "%s: HCI packet too short (%iB)\n",
+ fprintf(stderr, "%s: HCI packet too short (%zuB)\n",
__FUNCTION__, length);
bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
break;
@@ -1982,7 +1982,7 @@ static void bt_submit_hci(struct HCIInfo
* know that a packet contained the last fragment of the SDU when the next
* SDU starts. */
static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
@@ -1990,7 +1990,7 @@ static inline void bt_hci_lmp_acl_data(s
/* TODO: avoid memcpy'ing */
if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
- fprintf(stderr, "%s: can't take ACL packets %i bytes long\n",
+ fprintf(stderr, "%s: can't take ACL packets %zu bytes long\n",
__FUNCTION__, len);
return;
}
@@ -2004,7 +2004,7 @@ static inline void bt_hci_lmp_acl_data(s
}
static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
@@ -2013,14 +2013,14 @@ static void bt_hci_lmp_acl_data_slave(st
}
static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
bt_hci_lmp_acl_data(hci_from_device(link->host),
link->handle, data, start, len);
}
static void bt_submit_acl(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
uint16_t handle;
@@ -2028,7 +2028,7 @@ static void bt_submit_acl(struct HCIInfo
struct bt_link_s *link;
if (length < HCI_ACL_HDR_SIZE) {
- fprintf(stderr, "%s: ACL packet too short (%iB)\n",
+ fprintf(stderr, "%s: ACL packet too short (%zuB)\n",
__FUNCTION__, length);
return;
}
@@ -2048,7 +2048,7 @@ static void bt_submit_acl(struct HCIInfo
handle &= ~HCI_HANDLE_OFFSET;
if (datalen > length) {
- fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n",
+ fprintf(stderr, "%s: ACL packet too short (%zuB < %iB)\n",
__FUNCTION__, length, datalen);
return;
}
@@ -2090,7 +2090,7 @@ static void bt_submit_acl(struct HCIInfo
}
static void bt_submit_sco(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
uint16_t handle;
@@ -2110,7 +2110,7 @@ static void bt_submit_sco(struct HCIInfo
}
if (datalen > length) {
- fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n",
+ fprintf(stderr, "%s: SCO packet too short (%zuB < %iB)\n",
__FUNCTION__, length, datalen);
return;
}
@@ -2131,7 +2131,7 @@ static uint8_t *bt_hci_evt_packet(void *
return s->evt_buf;
}
-static void bt_hci_evt_submit(void *opaque, int len)
+static void bt_hci_evt_submit(void *opaque, size_t len)
{
/* TODO: notify upper layer */
struct bt_hci_s *s = opaque;
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hid.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c
@@ -168,7 +168,7 @@ static void bt_hid_disconnect(struct bt_
}
static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
uint8_t *pkt, hdr = (BT_DATA << 4) | type;
int plen;
@@ -189,7 +189,7 @@ static void bt_hid_send_data(struct bt_l
}
static void bt_hid_control_transaction(struct bt_hid_device_s *s,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
uint8_t type, parameter;
int rlen, ret = -1;
@@ -361,7 +361,7 @@ static void bt_hid_control_transaction(s
bt_hid_send_handshake(s, ret);
}
-static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len)
{
struct bt_hid_device_s *hid = opaque;
@@ -387,7 +387,7 @@ static void bt_hid_datain(HIDState *hs)
hid->datain.buffer, hid->datain.len);
}
-static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len)
{
struct bt_hid_device_s *hid = opaque;
