Message ID | 20230919191401.311236-1-luiz.dentz@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 5ab5352531a9cc7058cce569607f3a6831464443 |
Headers | show |
Series | [BlueZ] pbap: Fix not checking Primary/Secundary Counter length | expand |
Context | Check | Description |
---|---|---|
tedd_an/pre-ci_am | success | Success |
tedd_an/CheckPatch | warning | WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #91: #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 /github/workspace/src/src/13391785.patch total: 0 errors, 1 warnings, 17 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13391785.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. |
tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 14: B1 Line exceeds max length (231>80): " #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860" 15: B1 Line exceeds max length (130>80): " #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892" 16: B1 Line exceeds max length (130>80): " #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887" 24: B1 Line exceeds max length (99>80): " #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)" 26: B1 Line exceeds max length (91>80): " #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)" 28: B1 Line exceeds max length (91>80): " #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58" 31: B1 Line exceeds max length (97>80): " 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)" 34: B1 Line exceeds max length (106>80): " #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154" |
tedd_an/BuildEll | success | Build ELL PASS |
tedd_an/BluezMake | success | Bluez Make PASS |
tedd_an/MakeCheck | success | Bluez Make Check PASS |
tedd_an/MakeDistcheck | success | Make Distcheck PASS |
tedd_an/CheckValgrind | success | Check Valgrind PASS |
tedd_an/CheckSmatch | success | CheckSparse PASS |
tedd_an/bluezmakeextell | success | Make External ELL PASS |
tedd_an/IncrementalBuild | success | Incremental Build PASS |
tedd_an/ScanBuild | success | Scan Build PASS |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=785720 ---Test result--- Test Summary: CheckPatch FAIL 0.64 seconds GitLint FAIL 4.97 seconds BuildEll PASS 27.65 seconds BluezMake PASS 783.26 seconds MakeCheck PASS 11.51 seconds MakeDistcheck PASS 157.96 seconds CheckValgrind PASS 253.66 seconds CheckSmatch PASS 348.02 seconds bluezmakeextell PASS 105.39 seconds IncrementalBuild PASS 669.97 seconds ScanBuild PASS 1040.56 seconds Details ############################## Test: CheckPatch - FAIL Desc: Run checkpatch.pl script Output: [BlueZ] pbap: Fix not checking Primary/Secundary Counter length WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #91: #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 /github/workspace/src/src/13391785.patch total: 0 errors, 1 warnings, 17 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13391785.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. ############################## Test: GitLint - FAIL Desc: Run gitlint Output: [BlueZ] pbap: Fix not checking Primary/Secundary Counter length WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 14: B1 Line exceeds max length (231>80): " #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860" 15: B1 Line exceeds max length (130>80): " #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892" 16: B1 Line exceeds max length (130>80): " #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887" 24: B1 Line exceeds max length (99>80): " #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)" 26: B1 Line exceeds max length (91>80): " #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)" 28: B1 Line exceeds max length (91>80): " #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58" 31: B1 Line exceeds max length (97>80): " 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)" 34: B1 Line exceeds max length (106>80): " #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154" --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluez.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Tue, 19 Sep 2023 12:14:01 -0700 you wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > Primary/Secundary Counters are supposed to be 16 bytes values, if the > server has implemented them incorrectly it may lead to the following > crash: > > ================================================================= > ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 > > [...] Here is the summary with links: - [BlueZ] pbap: Fix not checking Primary/Secundary Counter length https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=5ab5352531a9 You are awesome, thank you!
diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c index 1ed8c68eccd0..2d2aa950898c 100644 --- a/obexd/client/pbap.c +++ b/obexd/client/pbap.c @@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) data = value; } - if (memcmp(pbap->primary, data, len)) { + if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) { memcpy(pbap->primary, data, len); g_dbus_emit_property_changed(conn, obc_session_get_path(pbap->session), @@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam) data = value; } - if (memcmp(pbap->secondary, data, len)) { + if (len == sizeof(pbap->secondary) && + memcmp(pbap->secondary, data, len)) { memcpy(pbap->secondary, data, len); g_dbus_emit_property_changed(conn, obc_session_get_path(pbap->session),
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Primary/Secundary Counters are supposed to be 16 bytes values, if the server has implemented them incorrectly it may lead to the following crash: ================================================================= ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 READ of size 48 at 0x607000001878 thread T0 #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #13 0x564df6977d41 in main obexd/src/main.c:307 #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) allocated by thread T0 here: #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259 --- obexd/client/pbap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)