[BlueZ,v1,0/1] shared/gatt-db: Fix incorrect attribute type

Message ID	20250221163139.1705-1-sarveshwar.bajaj@nxp.com (mailing list archive)
Headers	show Received: from EUR03-VI1-obe.outbound.protection.outlook.com (mail-vi1eur03on2086.outbound.protection.outlook.com [40.107.103.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 235561E7C09 for <linux-bluetooth@vger.kernel.org>; Fri, 21 Feb 2025 16:32:13 +0000 (UTC) From: Sarveshwar Bajaj <sarveshwar.bajaj@nxp.com> To: linux-bluetooth@vger.kernel.org Cc: luiz.von.dentz@intel.com, vinit.mehta@nxp.com, mahesh.talewad@nxp.com, devyani.godbole@nxp.com, iulia.tanasescu@nxp.com, mihai-octavian.urzica@nxp.com Subject: [PATCH BlueZ v1 0/1] shared/gatt-db: Fix incorrect attribute type Date: Fri, 21 Feb 2025 22:01:38 +0530 Message-ID: <20250221163139.1705-1-sarveshwar.bajaj@nxp.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: bulk MIME-Version: 1.0
Series	shared/gatt-db: Fix incorrect attribute type \| expand [BlueZ,v1,0/1] shared/gatt-db: Fix incorrect attribute type [BlueZ,v1,1/1] shared/gatt-db: Fix incorrect attribute type

Message ID

20250221163139.1705-1-sarveshwar.bajaj@nxp.com (mailing list archive)

Headers

From: Sarveshwar Bajaj <sarveshwar.bajaj@nxp.com>
To: linux-bluetooth@vger.kernel.org
Cc: luiz.von.dentz@intel.com,
	vinit.mehta@nxp.com,
	mahesh.talewad@nxp.com,
	devyani.godbole@nxp.com,
	iulia.tanasescu@nxp.com,
	mihai-octavian.urzica@nxp.com
Subject: [PATCH BlueZ v1 0/1] shared/gatt-db: Fix incorrect attribute type 
Date: Fri, 21 Feb 2025 22:01:38 +0530
Message-ID: <20250221163139.1705-1-sarveshwar.bajaj@nxp.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 OHMH6fIIlNIqzNvzv52F9sFcU7ZTqKWcp/Gd0ZQBesKa0XL5DLHuGey0PlrQt7CFhetH+M88pSHPAWbQhR2ZyGYOtcUUGk3pBdQGEiESDtxcsaR+DtrZceUeq5r2q8Q1IMH4QtElCmXHMTjmux5sfyxKVkjnVeftAUXnZTeIkMErGy/7EKlA0UBvOJw7XzkhJ+Omjv4TNU5eAUlXVxf4sJUmoccg01zWuXw6CPP7OEuhgFz06Ru/1q1N4/58sAdS39AuXiZhJyOwxSB2aqg6GO+1gBw9fucLYUohoji5ao32GDOj0ycLOR7bLgMwjz/cBFmQWjyExIofKHzvN98I/Se7FdTjUrXCeHFul0InFtGJ9SzjxLlkOqBEou9jHyGllYqlb+VO7kE2CRCewYv8m2kNeP9GgGT0Wdlo9Cad7/NvX86EA1UvdXOI7wuoCNfGDSnyHQuiSr2R3/NLZ12nC85hHjKeJNndK6b41UtrvjmZT+U6pyPx5QZG8IAmLHnu9qm5sPUF9vI7xGPzYJQyEwKgvML7W73g8Ir0Sf4wpogPkZPVXMHEM5oTWHllEJ5rbLifsR8tHkKBNrRGwAbd5wqIqFbucBWdgErZLEEGI2+K/Egf6b8/YivwWjGgqVrIETmXGv4SIOEGVc4jyYtzy0f+LaMga5bew3FkxhhSZsvtmG+cxACN2eAMqNU5clVAX3cJzk3JhJe1kEu4jF4yoUCcsl43ih6AAsbLHqfDmAL2RvQL6fGgTideTvb+1X6gpnNQvjyp/Z3TfArcgcYfKGaqYi9OHOuNN6pAz0FmniYRecylEn6SVAMpnVK7EUPRrRknWgavoTuyyLATx+0TOztwXuOBNq1BJlfxS8MvSq9lHn+73ipIsBByaaW9bZroDHdrKQqkHJKitY73qvxizfygNLMvBULD11X0Ak4diprS28JFgNOlWE2juWVpHpW6PB2IsLYpv6mn/XVX+dc/+k5cIzaO2XOS0vpsY2by0QD539zCO+69t68nLTrOy/Z2TOs3xbR09fdJCCpg7RSl5V7FCZPFUq16idUtI+x/zZCWrFBszh4IHkCg9Ppy+mrBj+xFj2xBV6dp11f/3fSxChAJDn8xG/DummI+O1fsU50L+a01rhMNSfOQ0EvbubEy5zbWu2BKFkMaJHaqlWHybo87FYDjGkVg/PAj8KqLjHg/HivbPgblDNxPPdGNja8QoGFjvlM75EYEkood2EvSPmkslaQNxCeSjC2jHRkUf/SKoe0nOO1AaTTEIJMnrtne3rLZVyLo4y7831CRln15LkSpubbslga2Ja8XFpgkgmQFqhQLWnnQE9Q4P+pwVnsP79wKXQLRdetm58zgxSj+D5+mwV6BzqOsBatoTTTJ09hn9w+Uy89B2OfIAXEbA2xZLaj77+fItqC/MjqIuHJar7Kz6nsMShmkx0DY1EguSJkeWSbC+XcJMHkB5TbHqZiaMX7aRdSaDuCPeNVle2MiawBa06K+Bbrq/aAo98GdG4buoDxazkqcgIpvM4nfPAYZ3UUkaXeqfBoUtRbyjD9UpSW6Pi7aPiUjFseyfPDtNytvfH19hzpMtn+tO3f6Shnk+u0ybhrGL0SpSWE7M3/ZLA==
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 b85fd712-bfdd-403f-6fd4-08dd52954984
X-MS-Exchange-CrossTenant-AuthSource: AS1PR04MB9630.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Feb 2025 16:32:09.6093
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 KCv77MwoJ4XjfMoqpAzfHXptSNXPfB0YSoqUiqvpshUml3luDkE0Vu1OYCvtlPnlh4+3qAjtQ3Hf0JdsGLWPSjYd/XPJy83Y46BCKhiMiaA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR04MB8152

Series

shared/gatt-db: Fix incorrect attribute type | expand

Message

Sarveshwar Bajaj Feb. 21, 2025, 4:31 p.m. UTC

As part of BLE GATT Fuzzing testcase,if application sends an invalid
ATT_FIND_BY_TYPE_VALUE_REQ with attribute type as CCC (UUID 0x2902).
However, this request is not valid for descriptors like CCC, as it is 
specifically intended for discovering primary services with a given UUID.
When processed in find_by_type(),attempts to access attribute->value 
without checking if attribute or attribute->value is NULL,leading to a 
segmentation fault.

Added NULL pointer checks before accessing attribute values in multiple
functions to prevent potential crashes due to invalid memory access

Bluetoothd crash dump:
0 0x73fec87ae81e  (/lib/x86_64-linux-gnu/libc.so.6+0x1ae81e)
1 0x73fec94942e9 in MemcmpInterceptorCommon(void*, int (*)
(void const*, void const*, unsigned long), void const*, 
void const*, unsigned long) 
../../../../src/libsanitizer/sanitizer_common/
sanitizer_common_interceptors.inc:881
2 0x73fec9494bc6 in __interceptor_memcmp ../../../../src/
libsanitizer/sanitizer_common
/sanitizer_common_interceptors.inc:892
3 0x73fec9494bc6 in __interceptor_memcmp ../../../../src/
libsanitizer/sanitizer_common
/sanitizer_common_interceptors.inc:887
4 0x5d5c290f2456 in find_by_type src/shared/gatt-db.c:1389
5 0x5d5c290ff855 in foreach_in_range src/shared/gatt-db.c:1549
6 0x5d5c29099752 in queue_foreach src/shared/queue.c:207
7 0x5d5c290fb085 in gatt_db_foreach_in_range src/shared/gatt-db.c:1593
8 0x5d5c290fb4ca in gatt_db_find_by_type_value src/shared/gatt-db.c:1434
9 0x5d5c290e1996 in find_by_type_val_cb src/shared/gatt-server.c:745
10 0x5d5c290c3083 in handle_notify src/shared/att.c:1015
11 0x5d5c290c3083 in can_read_data src/shared/att.c:1100
12 0x5d5c291867c1 in watch_callback src/shared/io-glib.c:157
13 0x73fec931bc43 in g_main_context_dispatch 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
14 0x73fec93712b7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab2b7)
15 0x73fec931b2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/
libglib-2.0.so.0+0x552b2)
16 0x5d5c29188518 in mainloop_run src/shared/mainloop-glib.c:66
17 0x5d5c29188e26 in mainloop_run_with_signal src/shared
/mainloop-notify.c:189
18 0x5d5c28d8c6ae in main src/main.c:1544
19 0x73fec8629d8f in __libc_start_call_main ../sysdeps/nptl/
libc_start_call_main.h:58
20 0x73fec8629e3f in __libc_start_main_impl ../csu/libc-start.c:392
21 0x5d5c28d8f4c4 in _start (/root/LE_Audio_Work/Bluez/bluez/
src/bluetoothd+0x6204c4)

Sarveshwar Bajaj (1):
  shared/gatt-db: Fix incorrect attribute type handling

 src/shared/gatt-db.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)