This fixes the following error for invalid read access when registering
filter for incoming messages:
140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
#1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
#2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
#3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
#4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
#5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
#6 0x55a101086f64 in send_reply mesh/dbus.c:153
#7 0x55a101124c3d in handle_method_return ell/dbus.c:216
#8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
#9 0x55a1010dae20 in io_callback ell/io.c:120
#10 0x55a1010dff7e in l_main_iterate ell/main.c:478
#11 0x55a1010e06e3 in l_main_run ell/main.c:525
#12 0x55a1010e06e3 in l_main_run ell/main.c:507
#13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
#14 0x55a10100316e in main mesh/main.c:292
#15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
#16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
#17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
---
mesh/mesh-io-generic.c | 28 +++++++++++++++++++---------
mesh/mesh-io-unit.c | 18 +++++++++++-------
2 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 6c0b8f0fd..50a2a6a86 100644
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -810,10 +810,13 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
static bool find_by_filter(const void *a, const void *b)
{
- const struct pvt_rx_reg *rx_reg = a;
- const uint8_t *filter = b;
+ const struct pvt_rx_reg *rx_reg_old = a;
+ const struct pvt_rx_reg *rx_reg = b;
+
+ if (rx_reg_old->len != rx_reg->len)
+ return false;
- return !memcmp(rx_reg->filter, filter, rx_reg->len);
+ return !memcmp(rx_reg_old->filter, rx_reg->filter, rx_reg->len);
}
static bool recv_register(struct mesh_io *io, const uint8_t *filter,
@@ -821,16 +824,13 @@ static bool recv_register(struct mesh_io *io, const uint8_t *filter,
{
struct bt_hci_cmd_le_set_scan_enable cmd;
struct mesh_io_private *pvt = io->pvt;
- struct pvt_rx_reg *rx_reg;
+ struct pvt_rx_reg *rx_reg, *rx_reg_old;
bool already_scanning;
bool active = false;
if (!cb || !filter || !len)
return false;
- rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
-
- l_free(rx_reg);
rx_reg = l_malloc(sizeof(*rx_reg) + len);
memcpy(rx_reg->filter, filter, len);
@@ -838,6 +838,10 @@ static bool recv_register(struct mesh_io *io, const uint8_t *filter,
rx_reg->cb = cb;
rx_reg->user_data = user_data;
+ rx_reg_old = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg);
+
+ l_free(rx_reg_old);
+
already_scanning = !l_queue_isempty(pvt->rx_regs);
l_queue_push_head(pvt->rx_regs, rx_reg);
@@ -863,14 +867,20 @@ static bool recv_deregister(struct mesh_io *io, const uint8_t *filter,
{
struct bt_hci_cmd_le_set_scan_enable cmd = {0, 0};
struct mesh_io_private *pvt = io->pvt;
- struct pvt_rx_reg *rx_reg;
+ struct pvt_rx_reg *rx_reg, *rx_reg_tmp;
bool active = false;
- rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
+ rx_reg_tmp = l_malloc(sizeof(*rx_reg_tmp) + len);
+ memcpy(&rx_reg_tmp->filter, filter, len);
+ rx_reg_tmp->len = len;
+
+ rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg_tmp);
if (rx_reg)
l_free(rx_reg);
+ l_free(rx_reg_tmp);
+
/* Look for any AD types requiring Active Scanning */
if (l_queue_find(pvt->rx_regs, find_active, NULL))
active = true;
diff --git a/mesh/mesh-io-unit.c b/mesh/mesh-io-unit.c
index f4b615ac8..bf3f808e4 100644
--- a/mesh/mesh-io-unit.c
+++ b/mesh/mesh-io-unit.c
@@ -488,24 +488,24 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
static bool find_by_filter(const void *a, const void *b)
{
- const struct pvt_rx_reg *rx_reg = a;
- const uint8_t *filter = b;
+ const struct pvt_rx_reg *rx_reg_old = a;
+ const struct pvt_rx_reg *rx_reg = b;
- return !memcmp(rx_reg->filter, filter, rx_reg->len);
+ if (rx_reg_old->len != rx_reg->len)
+ return false;
+
+ return !memcmp(rx_reg_old->filter, rx_reg->filter, rx_reg->len);
}
static bool recv_register(struct mesh_io *io, const uint8_t *filter,
uint8_t len, mesh_io_recv_func_t cb, void *user_data)
{
struct mesh_io_private *pvt = io->pvt;
- struct pvt_rx_reg *rx_reg;
+ struct pvt_rx_reg *rx_reg, *rx_reg_old;
if (!cb || !filter || !len)
return false;
- rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
-
- l_free(rx_reg);
rx_reg = l_malloc(sizeof(*rx_reg) + len);
memcpy(rx_reg->filter, filter, len);
@@ -513,6 +513,10 @@ static bool recv_register(struct mesh_io *io, const uint8_t *filter,
rx_reg->cb = cb;
rx_reg->user_data = user_data;
+ rx_reg_old = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg);
+
+ l_free(rx_reg_old);
+
l_queue_push_head(pvt->rx_regs, rx_reg);
return true;
--
2.35.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=626461
---Test result---
Test Summary:
CheckPatch PASS 0.74 seconds
GitLint PASS 0.45 seconds
Prep - Setup ELL PASS 51.63 seconds
Build - Prep PASS 0.68 seconds
Build - Configure PASS 10.01 seconds
Build - Make PASS 1755.44 seconds
Make Check PASS 12.14 seconds
Make Check w/Valgrind PASS 531.49 seconds
Make Distcheck PASS 279.33 seconds
Build w/ext ELL - Configure PASS 10.12 seconds
Build w/ext ELL - Make PASS 1723.72 seconds
Incremental Build with patchesPASS 0.00 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Brian Gix <[email protected]>:
On Fri, 25 Mar 2022 16:46:25 -0700 you wrote:
> This fixes the following error for invalid read access when registering
> filter for incoming messages:
>
> 140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
> #0 0x7f60c185741d in MemcmpInterceptorCommon(...
> #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
> #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
> #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
> #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
> #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
> #6 0x55a101086f64 in send_reply mesh/dbus.c:153
> #7 0x55a101124c3d in handle_method_return ell/dbus.c:216
> #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
> #9 0x55a1010dae20 in io_callback ell/io.c:120
> #10 0x55a1010dff7e in l_main_iterate ell/main.c:478
> #11 0x55a1010e06e3 in l_main_run ell/main.c:525
> #12 0x55a1010e06e3 in l_main_run ell/main.c:507
> #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
> #14 0x55a10100316e in main mesh/main.c:292
> #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
> #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
> #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
>
> [...]
Here is the summary with links:
- [BlueZ,v2] mesh: Fix address overrun error in rx filter
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=2a2b027176d5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html