diff mbox series

[Bluez] hog: null-check attrib channel at report_map_read_cb

Message ID 20200928113550.Bluez.1.I229012141d7dab6013840265bc871a2c0712bec9@changeid
State New
Headers show
Series [Bluez] hog: null-check attrib channel at report_map_read_cb | expand

Commit Message

Michael Sun Sept. 28, 2020, 6:35 p.m. UTC
According to user reported crash dumps, function 'report_map_read_cb'
can pass down a null channel pointer, which will cause a segfault later
at g_io_channel_unix_get_fd upon dereferencing. Add null check to
prevent crashes.

thread #1, stop reason = signal SIGSEGV
frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655
frame #1: 0x00005cdb60776a52 bluetoothd`bt_io_get_type at btio.c:105
frame #2: 0x00005cdb60777224 bluetoothd`bt_io_get at btio.c:1548
frame #3: 0x00005cdb607706ca bluetoothd`report_map_read_cb at hog-lib.c:993
frame #4: 0x00005cdb60775a60 bluetoothd`read_blob_helper at gatt.c:804
frame #5: 0x00005cdb60775f13 bluetoothd`attrib_callback_result at gattrib.c:273
frame #6: 0x00005cdb607bf30b bluetoothd`can_read_data at att.c:820
frame #7: 0x00005cdb607ca58f bluetoothd`watch_callback at io-glib.c:170
frame #8: 0x00007ac089dda73b libglib-2.0.so.0`g_main_context_dispatch at gmain.c:3182
frame #9: 0x00007ac089ddaa5a libglib-2.0.so.0`g_main_context_iterate at gmain.c:3920
frame #10: 0x00007ac089ddac9f libglib-2.0.so.0`g_main_loop_run at gmain.c:4116
frame #11: 0x00005cdb607ca712 bluetoothd`mainloop_run at mainloop-glib.c:79
frame #12: 0x00005cdb607ca9fe bluetoothd`mainloop_run_with_signal at mainloop-notify.c:201
frame #13: 0x00005cdb607b04bb bluetoothd`main at main.c:969
frame #14: 0x00007ac0894c0ad4 libc.so.6`__libc_start_main at libc-start.c:308
frame #15: 0x00005cdb6074eb0a bluetoothd`_start + 42

Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reviewed-by: Archie Pusaka <apusaka@chromium.org>
Signed-off-by: Michael Sun <michaelfsun@google.com>
---

 profiles/input/hog-lib.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com Sept. 28, 2020, 6:52 p.m. UTC | #1
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=356703

---Test result---

##############################
Test: CheckPatch - FAIL
Output:
hog: null-check attrib channel at report_map_read_cb
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#12: 
frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655

- total: 0 errors, 1 warnings, 21 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

Your patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: CheckGitLint - FAIL
Output:
hog: null-check attrib channel at report_map_read_cb
9: B1 Line exceeds max length (87>80): "frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655"
17: B1 Line exceeds max length (85>80): "frame #8: 0x00007ac089dda73b libglib-2.0.so.0`g_main_context_dispatch at gmain.c:3182"
18: B1 Line exceeds max length (84>80): "frame #9: 0x00007ac089ddaa5a libglib-2.0.so.0`g_main_context_iterate at gmain.c:3920"
21: B1 Line exceeds max length (90>80): "frame #12: 0x00005cdb607ca9fe bluetoothd`mainloop_run_with_signal at mainloop-notify.c:201"


##############################
Test: CheckBuild - PASS

##############################
Test: MakeCheck - PASS



---
Regards,
Linux Bluetooth
diff mbox series

Patch

diff --git a/profiles/input/hog-lib.c b/profiles/input/hog-lib.c
index e96c969b7755..58d6b556dc9c 100644
--- a/profiles/input/hog-lib.c
+++ b/profiles/input/hog-lib.c
@@ -945,6 +945,7 @@  static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
 	char itemstr[20]; /* 5x3 (data) + 4 (continuation) + 1 (null) */
 	int i, err;
 	GError *gerr = NULL;
+	GIOChannel *io = NULL;
 
 	destroy_gatt_req(req);
 
@@ -988,7 +989,13 @@  static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
 	memset(&ev, 0, sizeof(ev));
 	ev.type = UHID_CREATE;
 
-	bt_io_get(g_attrib_get_channel(hog->attrib), &gerr,
+	io = g_attrib_get_channel(hog->attrib);
+	if (!io) {
+		error("Get channel failed");
+		return;
+	}
+
+	bt_io_get(io, &gerr,
 			BT_IO_OPT_SOURCE, ev.u.create.phys,
 			BT_IO_OPT_DEST, ev.u.create.uniq,
 			BT_IO_OPT_INVALID);