Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7733206rdb; Thu, 4 Jan 2024 06:11:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IHeaJa7Lz/cLNs5O63UlgCJLgYu6iSVtM7wAfLA0KqcEudz+3CdBv3yIbWZFXCmseudk+MJ X-Received: by 2002:a05:6a20:96d1:b0:196:4697:7081 with SMTP id hq17-20020a056a2096d100b0019646977081mr521641pzc.105.1704377475587; Thu, 04 Jan 2024 06:11:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704377475; cv=none; d=google.com; s=arc-20160816; b=IeBv9Vtjc4u54jsB8ETHMoP0521BK0WPG7YgIgK/XQRzwnWGej8V2QDB4EfAhGxXwL Yq6r9nZSr22AOy1JE7iZqvw7okpPb5UAv54F0y+9HbjU/9Dos3H2mmuNjvq6bo5gQYlB JgSl0MZlqjqRK+UE+zI/gr3UOsC7b7bCG0pVi4a9LnPIRTEQd/GFUJpNYjCJdONUwVbI KGQs0e67Ql8i8N/7Z8p36EfxdKt53xasbE+5Ym6X5zzG4Rqo8zpMMakTwRA9irbwFkvw ozRSiaqYZx7nZTecXJz69ntxUzjxnKZ+FSdKK22AqDlc8avqRWKHq904gRAvrA+if2uE XXeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=1fMt8Bl612ciTJPIKVEvMiloZo1Mxd7qrFQhqItooGM=; fh=v4Z3N2Htbr8NtGqMLkQjkIE/EbeUcf6lhEWEAm07n3g=; b=iZzCiS5TA95uzxA40uK3opUDiHDuPHrx71KQrtFncNFFGotEs1WPTsfr9tFC5T69AA ELMSPFPfN2UV/Adm932b9ilcvb+gq9/4qLLOgWjNg3mHstlHESI4JEwPA5/ezRcZWBTC NFAcDJyC6MGJZzG4pqPe5LEcDUuqzBeOiCS/9yvJ+gxyPMNaERFLOVs8Tb9U6/3Bp4YN 8R7VqdkmVPOcPvDbWsKeqZn+vcuR4wo1qiufsLpDC15hbHBIv8Nd1gYmWdlLw2sJyluI 1XIvn/0Ss0NqjEhhCwt3D37CxzAQak6DZA1XVAZ14mi3yph8yFm/R1UaDK4b3kmnf8F5 32kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=FkKNTtkH; spf=pass (google.com: domain of linux-bluetooth+bounces-884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-884-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id y9-20020a17090322c900b001d4c30c8825si5284533plg.463.2024.01.04.06.11.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jan 2024 06:11:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=FkKNTtkH; spf=pass (google.com: domain of linux-bluetooth+bounces-884-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-884-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 42DD2285CFC for ; Thu, 4 Jan 2024 14:11:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A713A224D1; Thu, 4 Jan 2024 14:11:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="FkKNTtkH" X-Original-To: linux-bluetooth@vger.kernel.org Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77818224C0 for ; Thu, 4 Jan 2024 14:11:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1704377466; bh=xDJ4S9zr6hgLYmzym7hNAHKIxkgNSHlznCnPMMsQ458=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=FkKNTtkHEVjwiv1u46jMMzt1RPEKydyYvX6wFpWLW887y95iYEpaZYmMmUGYsxAyM lVvZkQC1qXheQTHFEsNWgMmD+dK4QiLNUfqG0H0LLF91SSzhc3EfS34wBizzm+Luxq 9+Pwcfstdud7PWTvK15JreMtVjio/IYDDokiXYiOWD4g/MUvrlzZArkh3ddxfB2gn1 AQECkJkYiST5unXiStOIIIweDTL2m2yYiA0kanM36wuqhZdHE/7EYNXiKJh8AHXZnj v0d76+ossSbAC4e0PdBnfqm3iWe/vHvHYLtVMiGIm5zEUTFFvs2n8D+8hMGK8S2jGB steknk7LPI33w== Received: from [100.72.96.248] (cola.collaboradmins.com [195.201.22.229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: fdanis) by madrid.collaboradmins.com (Postfix) with ESMTPSA id 508F73782006; Thu, 4 Jan 2024 14:11:06 +0000 (UTC) Message-ID: <3e6cf301-a869-4799-a869-af45cdb6635f@collabora.com> Date: Thu, 4 Jan 2024 15:11:05 +0100 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH BlueZ] shared/gatt-db: Fix munmap_chunk invalid pointer Content-Language: en-US To: Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org References: <20240103092816.22952-1-frederic.danis@collabora.com> From: =?UTF-8?Q?Fr=C3=A9d=C3=A9ric_Danis?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Luiz, On 03/01/2024 16:50, Luiz Augusto von Dentz wrote: > Hi Frédéric, > > On Wed, Jan 3, 2024 at 4:28 AM Frédéric Danis > wrote: >> PTS test GATT/CL/GAD/BV-03-C published a service starting at handle 0xfffd >> and ending at 0xffff. > Don't we have a test for it under unit/test-gatt.c? Perhaps it would > be a good idea to add one while doing this change. Yes My idea should be to add a new unordered database and run gatt_db_get_hash() on it. > >> This resets the next_handle to 0 in gatt_db_insert_service() instead of >> setting it to 0x10000. Other services are added later. >> This could end-up by a crash in db_hash_update() if not enough space has >> been allocated for hash.iov and some entries are overwritten. > I understand we don't want to loop around but handle 0x10000 is not > valid either. Afaiu the next_handle is used as: - the next available handle, with special value 0 to define an empty db - and the maximum size to allocate during db_hash_update() So, 0x10000 is not a valid handle but is a valid size. gatt_db_insert_service() is already protected to not use handle > 0xFFFF. > >> --- >> src/shared/gatt-db.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c >> index 676f963ec..d32c9a70f 100644 >> --- a/src/shared/gatt-db.c >> +++ b/src/shared/gatt-db.c >> @@ -58,7 +58,7 @@ struct gatt_db { >> struct bt_crypto *crypto; >> uint8_t hash[16]; >> unsigned int hash_id; >> - uint16_t next_handle; >> + uint32_t next_handle; > I wonder if we can just set the next_handle to 0 and then check it > when using it, that way it indicates that it had looped around and > handle 0 is invalid already so we shouldn't allocate anything on it. Not sure this can work as 0 can mean it's an empty db or a db requesting UINT16_MAX+1 elements. During this test case, it loops to 0, but as other services are added setting next_handle to another value, ending up to allocate less memory than expected (i.e. UINT16_MAX+1 elements). We may replace the next_handle by last_handle, use gatt_db_isempty() instead of the handle 0 to check for empty db, and allocate last_handle+1 in db_hash_update(). Does it seems better? Regards, Fred -- Frédéric Danis Senior Software Engineer Collabora Ltd. Platinum Building, St John's Innovation Park, Cambridge CB4 0DS, United Kingdom Registered in England & Wales, no. 5513718