Message ID | 20220210060917.50156-1-hj.tedd.an@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 053a1d4bdb6a30f87d284e90020c20ef1ac8f8de |
Headers | show |
Series | [BlueZ] monitor/sdp: Fixes out-of-bounds array access | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=612901 ---Test result--- Test Summary: CheckPatch FAIL 1.41 seconds GitLint FAIL 1.05 seconds Prep - Setup ELL PASS 51.63 seconds Build - Prep PASS 0.86 seconds Build - Configure PASS 10.23 seconds Build - Make PASS 1681.24 seconds Make Check PASS 12.47 seconds Make Check w/Valgrind PASS 530.25 seconds Make Distcheck PASS 281.65 seconds Build w/ext ELL - Configure PASS 10.50 seconds Build w/ext ELL - Make PASS 1733.06 seconds Incremental Build with patchesPASS 0.00 seconds Details ############################## Test: CheckPatch - FAIL Desc: Run checkpatch.pl script with rule in .checkpatch.conf Output: [BlueZ] monitor/sdp: Fixes out-of-bounds array access WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #83: ==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978 /github/workspace/src/12741392.patch total: 0 errors, 1 warnings, 8 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/12741392.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. ############################## Test: GitLint - FAIL Desc: Run gitlint with rule in .gitlint Output: [BlueZ] monitor/sdp: Fixes out-of-bounds array access 7: B1 Line exceeds max length (83>80): "monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]'" 9: B1 Line exceeds max length (138>80): "==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978" 20: B1 Line exceeds max length (82>80): " #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188" 22: B1 Line exceeds max length (85>80): " #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)" 23: B1 Line exceeds max length (83>80): " #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)" 25: B1 Line exceeds max length (138>80): "0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384" 26: B1 Line exceeds max length (140>80): "0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320" 27: B1 Line exceeds max length (94>80): "SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)" --- Regards, Linux Bluetooth
diff --git a/monitor/sdp.c b/monitor/sdp.c index 10bc0a121..daf9a9da8 100644 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -494,7 +494,7 @@ static void handle_continuation(struct tid_data *tid, bool nested, cont_list[n].data = NULL; cont_list[n].size = 0; } else - memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1); + memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1); } static uint16_t common_rsp(const struct l2cap_frame *frame,
From: Tedd Ho-Jeong An <tedd.an@intel.com> This patch fixes the out-of-bounds array access caught by the ASAN. monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]' ================================================================= ==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978 WRITE of size 9 at 0x7fe2d271a542 thread T0 #0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692 #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771 #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247 #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312 #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638 #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967 #7 0x7fe2d230b285 in data_callback monitor/control.c:973 #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106 #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #10 0x7fe2d230324a in main monitor/main.c:290 #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d) 0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384 0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) ... ==4180==ABORTING --- monitor/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)