From: Tedd Ho-Jeong An <[email protected]>
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
---
monitor/sdp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/monitor/sdp.c b/monitor/sdp.c
index 10bc0a121..daf9a9da8 100644
--- a/monitor/sdp.c
+++ b/monitor/sdp.c
@@ -494,7 +494,7 @@ static void handle_continuation(struct tid_data *tid, bool nested,
cont_list[n].data = NULL;
cont_list[n].size = 0;
} else
- memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
+ memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1);
}
static uint16_t common_rsp(const struct l2cap_frame *frame,
--
2.25.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=612901
---Test result---
Test Summary:
CheckPatch FAIL 1.41 seconds
GitLint FAIL 1.05 seconds
Prep - Setup ELL PASS 51.63 seconds
Build - Prep PASS 0.86 seconds
Build - Configure PASS 10.23 seconds
Build - Make PASS 1681.24 seconds
Make Check PASS 12.47 seconds
Make Check w/Valgrind PASS 530.25 seconds
Make Distcheck PASS 281.65 seconds
Build w/ext ELL - Configure PASS 10.50 seconds
Build w/ext ELL - Make PASS 1733.06 seconds
Incremental Build with patchesPASS 0.00 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
[BlueZ] monitor/sdp: Fixes out-of-bounds array access
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#83:
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
/github/workspace/src/12741392.patch total: 0 errors, 1 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/12741392.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
[BlueZ] monitor/sdp: Fixes out-of-bounds array access
7: B1 Line exceeds max length (83>80): "monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]'"
9: B1 Line exceeds max length (138>80): "==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978"
20: B1 Line exceeds max length (82>80): " #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188"
22: B1 Line exceeds max length (85>80): " #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)"
23: B1 Line exceeds max length (83>80): " #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)"
25: B1 Line exceeds max length (138>80): "0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384"
26: B1 Line exceeds max length (140>80): "0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320"
27: B1 Line exceeds max length (94>80): "SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)"
---
Regards,
Linux Bluetooth