[v4,0/2] Fix gatt-db munmap_chunk invalid pointer

Message ID	20240111133955.65686-1-frederic.danis@collabora.com
Headers	show Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC2EA2837F for <linux-bluetooth@vger.kernel.org>; Thu, 11 Jan 2024 13:40:05 +0000 (UTC) sender: fdanis) by madrid.collaboradmins.com (Postfix) with ESMTPSA id F30CC3780894 for <linux-bluetooth@vger.kernel.org>; Thu, 11 Jan 2024 13:40:03 +0000 (UTC) From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?= <frederic.danis@collabora.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH v4 0/2] Fix gatt-db munmap_chunk invalid pointer Date: Thu, 11 Jan 2024 14:39:53 +0100 Message-Id: <20240111133955.65686-1-frederic.danis@collabora.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit
Series	Fix gatt-db munmap_chunk invalid pointer \| expand [v4,0/2] Fix gatt-db munmap_chunk invalid pointer [v4,1/2] shared/gatt-db: Fix munmap_chunk invalid pointer [v4,2/2] unit/test-gatt: Add unordered setup db test

Message ID

20240111133955.65686-1-frederic.danis@collabora.com

Headers

From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?= <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH v4 0/2] Fix gatt-db munmap_chunk invalid pointer
Date: Thu, 11 Jan 2024 14:39:53 +0100
Message-Id: <20240111133955.65686-1-frederic.danis@collabora.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Series

Fix gatt-db munmap_chunk invalid pointer | expand

Message

Frédéric Danis Jan. 11, 2024, 1:39 p.m. UTC

PTS test GATT/CL/GAD/BV-03-C published a service starting at handle 0xfffd
and ending at 0xffff.
This resets the next_handle to 0 in gatt_db_insert_service() instead of
setting it to 0x10000. Other services are added later.
This could end-up by a crash in db_hash_update() if not enough space has
been allocated for hash.iov and some entries are overwritten.

Next_handle can be replaced by a last_handle variable which will not loop
over. This can be replaced by queue_peek_tail() and computing the value,
but keeping last_handle will avoid this sort of lookup.

Add a unit test to check regression.

v1 -> v2: Replace next_handle by last_handle
          Check empty db using gatt_db_isempty(db) instead of
            next_handle == 0
          Add robustness unit test to check that gatt_db_get_hash()
            doesn't crash
v2 -> v3: Fix line length checkpatch errors
v3 -> v4: Update commit comment to explain reason for keeping last_handle
          Split unit test to its own commit
          Rephrase db setup comment in unit test

Frédéric Danis (2):
  shared/gatt-db: Fix munmap_chunk invalid pointer
  unit/test-gatt: Add unordered setup db test

 src/shared/gatt-db.c | 19 ++++++------
 unit/test-gatt.c     | 73 +++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 82 insertions(+), 10 deletions(-)

Comments

patchwork-bot+bluetooth@kernel.org Jan. 12, 2024, 3:40 p.m. UTC | #1

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 11 Jan 2024 14:39:53 +0100 you wrote:
> PTS test GATT/CL/GAD/BV-03-C published a service starting at handle 0xfffd
> and ending at 0xffff.
> This resets the next_handle to 0 in gatt_db_insert_service() instead of
> setting it to 0x10000. Other services are added later.
> This could end-up by a crash in db_hash_update() if not enough space has
> been allocated for hash.iov and some entries are overwritten.
> 
> [...]

Here is the summary with links:
  - [v4,1/2] shared/gatt-db: Fix munmap_chunk invalid pointer
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=dacc69373263
  - [v4,2/2] unit/test-gatt: Add unordered setup db test
    (no matching commit)

You are awesome, thank you!