File CVE-2018-19665-qemuu-Integer-overflow-in-Blueto... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-19665-qemuu-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen

The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.

This change is similar to
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-host.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/bt-host.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-host.c
@@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo
     }
 }
 
-static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
     bt_host_send(hci, HCI_COMMAND_PKT, data, len);
 }
 
-static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
     bt_host_send(hci, HCI_ACLDATA_PKT, data, len);
 }
 
-static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
     bt_host_send(hci, HCI_SCODATA_PKT, data, len);
 }
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-vhci.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/bt-vhci.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/bt-vhci.c
@@ -124,13 +124,13 @@ static void vhci_host_send(void *opaque,
 }
 
 static void vhci_out_hci_packet_event(void *opaque,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     vhci_host_send(opaque, HCI_EVENT_PKT, data, len);
 }
 
 static void vhci_out_hci_packet_acl(void *opaque,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len);
 }
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/core.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/core.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/core.c
@@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_mast
 }
 
 static void bt_dummy_lmp_acl_resp(struct bt_link_s *link,
-                const uint8_t *data, int start, int len)
+                const uint8_t *data, int start, size_t len)
 {
     fprintf(stderr, "%s: stray ACL response PDU, fixme\n", __FUNCTION__);
     exit(-1);
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci-csr.c
@@ -91,7 +91,7 @@ static inline void csrhci_fifo_wake(stru
 }
 
 #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len)
-static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len)
 {
     int off = s->out_start + s->out_len;
 
@@ -100,14 +100,14 @@ static uint8_t *csrhci_out_packet(struct
 
     if (off < FIFO_LEN) {
         if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) {
-            fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+            fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
             exit(-1);
         }
         return s->outfifo + off;
     }
 
     if (s->out_len > s->out_size) {
-        fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len);
+        fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len);
         exit(-1);
     }
 
@@ -115,7 +115,7 @@ static uint8_t *csrhci_out_packet(struct
 }
 
 static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
-                int type, int len)
+                int type, size_t len)
 {
     uint8_t *ret = csrhci_out_packetz(s, len + 2);
 
@@ -126,7 +126,7 @@ static inline uint8_t *csrhci_out_packet
 }
 
 static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s,
-                int evt, int len)
+                int evt, size_t len)
 {
     uint8_t *ret = csrhci_out_packetz(s,
                     len + 1 + sizeof(struct hci_event_hdr));
@@ -139,7 +139,7 @@ static inline uint8_t *csrhci_out_packet
 }
 
 static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf,
-                uint8_t *data, int len)
+                uint8_t *data, size_t len)
 {
     int offset;
     uint8_t *rpkt;
@@ -329,7 +329,7 @@ static size_t csrhci_write(struct CharDr
 }
 
 static void csrhci_out_hci_packet_event(void *opaque,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     struct csrhci_s *s = (struct csrhci_s *) opaque;
     uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1);	/* Align */
@@ -341,7 +341,7 @@ static void csrhci_out_hci_packet_event(
 }
 
 static void csrhci_out_hci_packet_acl(void *opaque,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     struct csrhci_s *s = (struct csrhci_s *) opaque;
     uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1);	/* Align */
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hci.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hci.c
@@ -26,7 +26,7 @@
 
 struct bt_hci_s {
     uint8_t *(*evt_packet)(void *opaque);
-    void (*evt_submit)(void *opaque, int len);
+    void (*evt_submit)(void *opaque, size_t len);
     void *opaque;
     uint8_t evt_buf[256];
 
@@ -56,7 +56,7 @@ struct bt_hci_s {
         struct bt_hci_master_link_s {
             struct bt_link_s *link;
             void (*lmp_acl_data)(struct bt_link_s *link,
-                            const uint8_t *data, int start, int len);
+                            const uint8_t *data, int start, size_t len);
             QEMUTimer *acl_mode_timer;
         } handle[HCI_HANDLES_MAX];
         uint32_t role_bmp;
@@ -430,13 +430,13 @@ static const uint8_t bt_event_reserved_m
 };
 
 static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
-                int evt, int len)
+                int evt, size_t len)
 {
     uint8_t *packet, mask;
     int mask_byte;
 
     if (len > 255) {
-        fprintf(stderr, "%s: HCI event params too long (%ib)\n",
+        fprintf(stderr, "%s: HCI event params too long (%zub)\n",
                         __FUNCTION__, len);
         exit(-1);
     }
@@ -454,7 +454,7 @@ static inline uint8_t *bt_hci_event_star
 }
 
 static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
-                void *params, int len)
+                void *params, size_t len)
 {
     uint8_t *packet = bt_hci_event_start(hci, evt, len);
 
@@ -479,7 +479,7 @@ static inline void bt_hci_event_status(s
 }
 
 static inline void bt_hci_event_complete(struct bt_hci_s *hci,
-                void *ret, int len)
+                void *ret, size_t len)
 {
     uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
                     len + EVT_CMD_COMPLETE_SIZE);
@@ -1457,7 +1457,7 @@ static inline void bt_hci_event_num_comp
 }
 
 static void bt_submit_hci(struct HCIInfo *info,
-                const uint8_t *data, int length)
+                const uint8_t *data, size_t length)
 {
     struct bt_hci_s *hci = hci_from_info(info);
     uint16_t cmd;
@@ -1952,7 +1952,7 @@ static void bt_submit_hci(struct HCIInfo
         break;
 
     short_hci:
-        fprintf(stderr, "%s: HCI packet too short (%iB)\n",
+        fprintf(stderr, "%s: HCI packet too short (%zuB)\n",
                         __FUNCTION__, length);
         bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
         break;
@@ -1964,7 +1964,7 @@ static void bt_submit_hci(struct HCIInfo
  * know that a packet contained the last fragment of the SDU when the next
  * SDU starts.  */
 static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
-                const uint8_t *data, int start, int len)
+                const uint8_t *data, int start, size_t len)
 {
     struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
 
@@ -1972,7 +1972,7 @@ static inline void bt_hci_lmp_acl_data(s
     /* TODO: avoid memcpy'ing */
 
     if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
-        fprintf(stderr, "%s: can't take ACL packets %i bytes long\n",
+        fprintf(stderr, "%s: can't take ACL packets %zu bytes long\n",
                         __FUNCTION__, len);
         return;
     }
@@ -1986,7 +1986,7 @@ static inline void bt_hci_lmp_acl_data(s
 }
 
 static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
-                const uint8_t *data, int start, int len)
+                const uint8_t *data, int start, size_t len)
 {
     struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
 
@@ -1995,14 +1995,14 @@ static void bt_hci_lmp_acl_data_slave(st
 }
 
 static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
-                const uint8_t *data, int start, int len)
+                const uint8_t *data, int start, size_t len)
 {
     bt_hci_lmp_acl_data(hci_from_device(link->host),
                     link->handle, data, start, len);
 }
 
 static void bt_submit_acl(struct HCIInfo *info,
-                const uint8_t *data, int length)
+                const uint8_t *data, size_t length)
 {
     struct bt_hci_s *hci = hci_from_info(info);
     uint16_t handle;
@@ -2010,7 +2010,7 @@ static void bt_submit_acl(struct HCIInfo
     struct bt_link_s *link;
 
     if (length < HCI_ACL_HDR_SIZE) {
-        fprintf(stderr, "%s: ACL packet too short (%iB)\n",
+        fprintf(stderr, "%s: ACL packet too short (%zuB)\n",
                         __FUNCTION__, length);
         return;
     }
@@ -2030,7 +2030,7 @@ static void bt_submit_acl(struct HCIInfo
     handle &= ~HCI_HANDLE_OFFSET;
 
     if (datalen > length) {
-        fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n",
+        fprintf(stderr, "%s: ACL packet too short (%zuB < %iB)\n",
                         __FUNCTION__, length, datalen);
         return;
     }
@@ -2072,7 +2072,7 @@ static void bt_submit_acl(struct HCIInfo
 }
 
 static void bt_submit_sco(struct HCIInfo *info,
-                const uint8_t *data, int length)
+                const uint8_t *data, size_t length)
 {
     struct bt_hci_s *hci = hci_from_info(info);
     uint16_t handle;
@@ -2092,7 +2092,7 @@ static void bt_submit_sco(struct HCIInfo
     }
 
     if (datalen > length) {
-        fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n",
+        fprintf(stderr, "%s: SCO packet too short (%zuB < %iB)\n",
                         __FUNCTION__, length, datalen);
         return;
     }
@@ -2113,7 +2113,7 @@ static uint8_t *bt_hci_evt_packet(void *
     return s->evt_buf;
 }
 
-static void bt_hci_evt_submit(void *opaque, int len)
+static void bt_hci_evt_submit(void *opaque, size_t len)
 {
     /* TODO: notify upper layer */
     struct bt_hci_s *s = opaque;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/bt/hid.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/bt/hid.c
@@ -168,7 +168,7 @@ static void bt_hid_disconnect(struct bt_
 }
 
 static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     uint8_t *pkt, hdr = (BT_DATA << 4) | type;
     int plen;
@@ -189,7 +189,7 @@ static void bt_hid_send_data(struct bt_l
 }
 
 static void bt_hid_control_transaction(struct bt_hid_device_s *s,
-                const uint8_t *data, int len)
+                const uint8_t *data, size_t len)
 {
     uint8_t type, parameter;
     int rlen, ret = -1;
@@ -361,7 +361,7 @@ static void bt_hid_control_transaction(s
         bt_hid_send_handshake(s, ret);
 }
 
-static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len)
 {
     struct bt_hid_device_s *hid = opaque;
 
@@ -387,7 +387,7 @@ static void bt_hid_datain(HIDState *hs)
                         hid->datain.buffer, hid->datain.len);
 }
 
-static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len)
+static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len)
 {
     struct bt_hid_device_s *hid = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/vl.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/vl.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/vl.c
@@ -866,7 +866,7 @@ static struct bt_scatternet_s *qemu_find
     return &vlan->net;
 }
 
-static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
+static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
 }

Places

File CVE-2018-19665-qemuu-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen

Places