File CVE-2018-19665-qemut-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen.openSUSE_Leap_42.3_Update
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Reported-by: Arash TC <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
bt-host.c | 6 ++---
bt-vhci.c | 4 +--
hw/bt/core.c | 2 +-
hw/bt/hci-csr.c | 16 ++++++------
hw/bt/hci.c | 38 ++++++++++++++--------------
hw/bt/hid.c | 8 +++---
hw/bt/l2cap.c | 56 ++++++++++++++++++++++--------------------
hw/bt/sdp.c | 6 ++---
hw/usb/dev-bluetooth.c | 6 ++---
include/hw/bt.h | 8 +++---
include/sysemu/bt.h | 10 ++++----
11 files changed, 81 insertions(+), 79 deletions(-)
This change is similar to
-> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/bt-host.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/bt-host.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/bt-host.c
@@ -69,17 +69,17 @@ static void bt_host_send(struct HCIInfo
}
}
-static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_COMMAND_PKT, data, len);
}
-static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_ACLDATA_PKT, data, len);
}
-static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
bt_host_send(hci, HCI_SCODATA_PKT, data, len);
}
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/bt-vhci.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/bt-vhci.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/bt-vhci.c
@@ -126,13 +126,13 @@ static void vhci_host_send(void *opaque,
}
static void vhci_out_hci_packet_event(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
vhci_host_send(opaque, HCI_EVENT_PKT, data, len);
}
static void vhci_out_hci_packet_acl(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len);
}
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt.c
@@ -46,7 +46,7 @@ static void bt_dummy_lmp_disconnect_mast
}
static void bt_dummy_lmp_acl_resp(struct bt_link_s *link,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
fprintf(stderr, "%s: stray ACL response PDU, fixme\n", __FUNCTION__);
exit(-1);
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c
@@ -93,7 +93,7 @@ static inline void csrhci_fifo_wake(stru
}
#define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len)
-static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len)
{
int off = s->out_start + s->out_len;
@@ -102,14 +102,14 @@ static uint8_t *csrhci_out_packet(struct
if (off < FIFO_LEN) {
if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) {
- fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+ fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
exit(-1);
}
return s->outfifo + off;
}
if (s->out_len > s->out_size) {
- fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+ fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
exit(-1);
}
@@ -117,7 +117,7 @@ static uint8_t *csrhci_out_packet(struct
}
static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
- int type, int len)
+ int type, size_t len)
{
uint8_t *ret = csrhci_out_packetz(s, len + 2);
@@ -128,7 +128,7 @@ static inline uint8_t *csrhci_out_packet
}
static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s,
- int evt, int len)
+ int evt, size_t len)
{
uint8_t *ret = csrhci_out_packetz(s,
len + 1 + sizeof(struct hci_event_hdr));
@@ -141,7 +141,7 @@ static inline uint8_t *csrhci_out_packet
}
static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf,
- uint8_t *data, int len)
+ uint8_t *data, size_t len)
{
int offset;
uint8_t *rpkt;
@@ -331,7 +331,7 @@ static int csrhci_write(struct CharDrive
}
static void csrhci_out_hci_packet_event(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
struct csrhci_s *s = (struct csrhci_s *) opaque;
uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */
@@ -343,7 +343,7 @@ static void csrhci_out_hci_packet_event(
}
static void csrhci_out_hci_packet_acl(void *opaque,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
struct csrhci_s *s = (struct csrhci_s *) opaque;
uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c
@@ -28,7 +28,7 @@
struct bt_hci_s {
uint8_t *(*evt_packet)(void *opaque);
- void (*evt_submit)(void *opaque, int len);
+ void (*evt_submit)(void *opaque, size_t len);
void *opaque;
uint8_t evt_buf[256];
@@ -58,7 +58,7 @@ struct bt_hci_s {
struct bt_hci_master_link_s {
struct bt_link_s *link;
void (*lmp_acl_data)(struct bt_link_s *link,
- const uint8_t *data, int start, int len);
+ const uint8_t *data, int start, size_t len);
QEMUTimer *acl_mode_timer;
} handle[HCI_HANDLES_MAX];
uint32_t role_bmp;
@@ -432,13 +432,13 @@ static const uint8_t bt_event_reserved_m
};
static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
- int evt, int len)
+ int evt, size_t len)
{
uint8_t *packet, mask;
int mask_byte;
if (len > 255) {
- fprintf(stderr, "%s: HCI event params too long (%ib)\n",
+ fprintf(stderr, "%s: HCI event params too long (%zub)\n",
__FUNCTION__, len);
exit(-1);
}
@@ -456,7 +456,7 @@ static inline uint8_t *bt_hci_event_star
}
static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
- void *params, int len)
+ void *params, size_t len)
{
uint8_t *packet = bt_hci_event_start(hci, evt, len);
@@ -481,7 +481,7 @@ static inline void bt_hci_event_status(s
}
static inline void bt_hci_event_complete(struct bt_hci_s *hci,
- void *ret, int len)
+ void *ret, size_t len)
{
uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
len + EVT_CMD_COMPLETE_SIZE);
@@ -1460,7 +1460,7 @@ static inline void bt_hci_event_num_comp
}
static void bt_submit_hci(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
uint16_t cmd;
@@ -1955,7 +1955,7 @@ static void bt_submit_hci(struct HCIInfo
break;
short_hci:
- fprintf(stderr, "%s: HCI packet too short (%iB)\n",
+ fprintf(stderr, "%s: HCI packet too short (%zuB)\n",
__FUNCTION__, length);
bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
break;
@@ -1967,7 +1967,7 @@ static void bt_submit_hci(struct HCIInfo
* know that a packet contained the last fragment of the SDU when the next
* SDU starts. */
static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
@@ -1975,7 +1975,7 @@ static inline void bt_hci_lmp_acl_data(s
/* TODO: avoid memcpy'ing */
if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
- fprintf(stderr, "%s: can't take ACL packets %i bytes long\n",
+ fprintf(stderr, "%s: can't take ACL packets %zu bytes long\n",
__FUNCTION__, len);
return;
}
@@ -1989,7 +1989,7 @@ static inline void bt_hci_lmp_acl_data(s
}
static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
@@ -1998,14 +1998,14 @@ static void bt_hci_lmp_acl_data_slave(st
}
static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
- const uint8_t *data, int start, int len)
+ const uint8_t *data, int start, size_t len)
{
bt_hci_lmp_acl_data(hci_from_device(link->host),
link->handle, data, start, len);
}
static void bt_submit_acl(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
uint16_t handle;
@@ -2013,7 +2013,7 @@ static void bt_submit_acl(struct HCIInfo
struct bt_link_s *link;
if (length < HCI_ACL_HDR_SIZE) {
- fprintf(stderr, "%s: ACL packet too short (%iB)\n",
+ fprintf(stderr, "%s: ACL packet too short (%zuB)\n",
__FUNCTION__, length);
return;
}
@@ -2033,7 +2033,7 @@ static void bt_submit_acl(struct HCIInfo
handle &= ~HCI_HANDLE_OFFSET;
if (datalen > length) {
- fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n",
+ fprintf(stderr, "%s: ACL packet too short (%zuB < %iB)\n",
__FUNCTION__, length, datalen);
return;
}
@@ -2075,7 +2075,7 @@ static void bt_submit_acl(struct HCIInfo
}
static void bt_submit_sco(struct HCIInfo *info,
- const uint8_t *data, int length)
+ const uint8_t *data, size_t length)
{
struct bt_hci_s *hci = hci_from_info(info);
struct bt_link_s *link;
@@ -2098,7 +2098,7 @@ static void bt_submit_sco(struct HCIInfo
handle &= ~HCI_HANDLE_OFFSET;
if (datalen > length) {
- fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n",
+ fprintf(stderr, "%s: SCO packet too short (%zuB < %iB)\n",
__FUNCTION__, length, datalen);
return;
}
@@ -2120,7 +2120,7 @@ static uint8_t *bt_hci_evt_packet(void *
return s->evt_buf;
}
-static void bt_hci_evt_submit(void *opaque, int len)
+static void bt_hci_evt_submit(void *opaque, size_t len)
{
/* TODO: notify upper layer */
struct bt_hci_s *s = opaque;
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c
@@ -180,7 +180,7 @@ static void bt_hid_disconnect(struct bt_
}
static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
uint8_t *pkt, hdr = (BT_DATA << 4) | type;
int plen;
@@ -201,7 +201,7 @@ static void bt_hid_send_data(struct bt_l
}
static void bt_hid_control_transaction(struct bt_hid_device_s *s,
- const uint8_t *data, int len)
+ const uint8_t *data, size_t len)
{
uint8_t type, parameter;
int rlen, ret = -1;
@@ -378,7 +378,7 @@ static void bt_hid_control_transaction(s
bt_hid_send_handshake(s, ret);
}
-static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len)
{
struct bt_hid_device_s *hid = opaque;
@@ -403,7 +403,7 @@ static void bt_hid_datain(void *opaque)
hid->datain.buffer, hid->datain.len);
}
-static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len)
{
struct bt_hid_device_s *hid = opaque;
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -2026,7 +2026,7 @@ static struct bt_scatternet_s *qemu_find
return &vlan->net;
}
-static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
+static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len)
{
}