[BlueZ] shared/gatt-db: fix crash on bad attribute index

Message ID	efe1351374fceccbe4f1392fddab0d75e128a510.1737886528.git.pav@iki.fi (mailing list archive)
State	Accepted
Commit	9f11c1817c56c550537f1d967a0589a0b20029df
Headers	show Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAEEB7603F for <linux-bluetooth@vger.kernel.org>; Sun, 26 Jan 2025 10:22:56 +0000 (UTC) sender: pav) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4YgngD0L2Vz49Pyv; Sun, 26 Jan 2025 12:22:47 +0200 (EET) From: Pauli Virtanen <pav@iki.fi> To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen <pav@iki.fi> Subject: [PATCH BlueZ] shared/gatt-db: fix crash on bad attribute index Date: Sun, 26 Jan 2025 12:22:44 +0200 Message-ID: <efe1351374fceccbe4f1392fddab0d75e128a510.1737886528.git.pav@iki.fi> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[BlueZ] shared/gatt-db: fix crash on bad attribute index \| expand [BlueZ] shared/gatt-db: fix crash on bad attribute index

Message ID

efe1351374fceccbe4f1392fddab0d75e128a510.1737886528.git.pav@iki.fi (mailing list archive)

State

Accepted

Commit

9f11c1817c56c550537f1d967a0589a0b20029df

Headers

From: Pauli Virtanen <pav@iki.fi>
To: linux-bluetooth@vger.kernel.org
Cc: Pauli Virtanen <pav@iki.fi>
Subject: [PATCH BlueZ] shared/gatt-db: fix crash on bad attribute index
Date: Sun, 26 Jan 2025 12:22:44 +0200
Message-ID: 
 <efe1351374fceccbe4f1392fddab0d75e128a510.1737886528.git.pav@iki.fi>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[BlueZ] shared/gatt-db: fix crash on bad attribute index | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/BuildEll	success	Build ELL PASS
tedd_an/BluezMake	success	Bluez Make PASS
tedd_an/MakeCheck	success	Bluez Make Check PASS
tedd_an/MakeDistcheck	success	Make Distcheck PASS
tedd_an/CheckValgrind	success	Check Valgrind PASS
tedd_an/CheckSmatch	success	CheckSparse PASS
tedd_an/bluezmakeextell	success	Make External ELL PASS
tedd_an/ScanBuild	success	Scan Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/BuildEll

success

Build ELL PASS

tedd_an/BluezMake

success

Bluez Make PASS

tedd_an/MakeCheck

success

Bluez Make Check PASS

tedd_an/MakeDistcheck

success

Make Distcheck PASS

tedd_an/CheckValgrind

success

Check Valgrind PASS

tedd_an/CheckSmatch

success

CheckSparse PASS

tedd_an/bluezmakeextell

success

Make External ELL PASS

tedd_an/ScanBuild

success

Scan Build PASS

Commit Message

Pauli Virtanen Jan. 26, 2025, 10:22 a.m. UTC

In gatt_db_attribute_get_value(), avoid NULL pointer deref if attribute
or db is in unexpected state and attrib at index-1 is missing.

Fixes btmon -r crash, on a packet capture obtained with btmon -w after
clearing BlueZ attributes & cache for the device:

==208213==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c
==208213==The signal is caused by a READ memory access.
==208213==Hint: address points to the zero page.
    #0 0x5af4a6 in bt_uuid_to_uuid128 lib/uuid.c:65
    #1 0x5afd54 in bt_uuid_cmp lib/uuid.c:118
    #2 0x5d0dd2 in gatt_db_attribute_get_value src/shared/gatt-db.c:1663
    #3 0x56aeab in print_value monitor/att.c:158
    #4 0x56b80f in print_attribute monitor/att.c:207
    #5 0x5982f7 in print_handle monitor/att.c:4417
    #6 0x59b1b8 in print_write monitor/att.c:4598
    #7 0x59b796 in att_write_req monitor/att.c:4627
    #8 0x59e91e in att_packet monitor/att.c:4918
    #9 0x4f4847 in l2cap_frame monitor/l2cap.c:2567
    #10 0x4f6022 in l2cap_packet monitor/l2cap.c:2708
    #11 0x4a48f6 in packet_hci_acldata monitor/packet.c:12606
    #12 0x43952a in packet_monitor monitor/packet.c:4247
    #13 0x4170c9 in control_reader monitor/control.c:1517
    #14 0x402f76 in main monitor/main.c:277
---
 src/shared/gatt-db.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

bluez.test.bot@gmail.com Jan. 26, 2025, 11:31 a.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=928379

---Test result---

Test Summary:
CheckPatch                    PENDING   0.21 seconds
GitLint                       PENDING   0.18 seconds
BuildEll                      PASS      20.30 seconds
BluezMake                     PASS      1556.24 seconds
MakeCheck                     PASS      13.13 seconds
MakeDistcheck                 PASS      157.99 seconds
CheckValgrind                 PASS      212.64 seconds
CheckSmatch                   PASS      269.75 seconds
bluezmakeextell               PASS      98.00 seconds
IncrementalBuild              PENDING   0.25 seconds
ScanBuild                     PASS      850.99 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org Jan. 27, 2025, 3:10 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 26 Jan 2025 12:22:44 +0200 you wrote:
> In gatt_db_attribute_get_value(), avoid NULL pointer deref if attribute
> or db is in unexpected state and attrib at index-1 is missing.
> 
> Fixes btmon -r crash, on a packet capture obtained with btmon -w after
> clearing BlueZ attributes & cache for the device:
> 
> ==208213==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c
> ==208213==The signal is caused by a READ memory access.
> ==208213==Hint: address points to the zero page.
>     #0 0x5af4a6 in bt_uuid_to_uuid128 lib/uuid.c:65
>     #1 0x5afd54 in bt_uuid_cmp lib/uuid.c:118
>     #2 0x5d0dd2 in gatt_db_attribute_get_value src/shared/gatt-db.c:1663
>     #3 0x56aeab in print_value monitor/att.c:158
>     #4 0x56b80f in print_attribute monitor/att.c:207
>     #5 0x5982f7 in print_handle monitor/att.c:4417
>     #6 0x59b1b8 in print_write monitor/att.c:4598
>     #7 0x59b796 in att_write_req monitor/att.c:4627
>     #8 0x59e91e in att_packet monitor/att.c:4918
>     #9 0x4f4847 in l2cap_frame monitor/l2cap.c:2567
>     #10 0x4f6022 in l2cap_packet monitor/l2cap.c:2708
>     #11 0x4a48f6 in packet_hci_acldata monitor/packet.c:12606
>     #12 0x43952a in packet_monitor monitor/packet.c:4247
>     #13 0x4170c9 in control_reader monitor/control.c:1517
>     #14 0x402f76 in main monitor/main.c:277
> 
> [...]

Here is the summary with links:
  - [BlueZ] shared/gatt-db: fix crash on bad attribute index
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=9f11c1817c56

You are awesome, thank you!

diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
index 72254c7e4..fe272de34 100644
--- a/src/shared/gatt-db.c
+++ b/src/shared/gatt-db.c
@@ -1660,6 +1660,8 @@  gatt_db_attribute_get_value(struct gatt_db_attribute *attrib)
 
 	if (!bt_uuid_cmp(&characteristic_uuid, &attrib->uuid))
 		return service->attributes[index + 1];
+	else if (service->attributes[index - 1] == NULL)
+		return NULL;
 	else if (!bt_uuid_cmp(&characteristic_uuid,
 				&service->attributes[index - 1]->uuid))
 		return service->attributes[index];