From: Oliver Chang <ochang@google.com>
To: linux-bluetooth@vger.kernel.org
Cc: oss-fuzz-bugs@google.com, Oliver Chang <ochang@google.com>
Subject: [PATCH BlueZ v2 0/1] Fix heap-buffer-overflow in sdp_xml.c:compute_seq_size
Date: Wed, 13 Aug 2025 10:34:58 +0000 [thread overview]
Message-ID: <20250813103459.3690107-1-ochang@google.com> (raw)
This is a follow up to my first patch attempt. After scrutinizing this a
bit more, it turns out my previous patch wasn't actually addresing the
root cause.
The ASan stacktrace (found by OSS-Fuzz) for this issue is:
```
==399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000218 at pc 0x5cffda946877 bp 0x7ffe90702810 sp 0x7ffe90702808
READ of size 4 at 0x502000000218 thread T0
#0 0x5cffda946876 in compute_seq_size bluez/src/sdp-xml.c:62:21
#1 0x5cffda946876 in element_end bluez/src/sdp-xml.c:548:42
#2 0x5cffda984416 in emit_end_element glib/glib/gmarkup.c:1045:5
#3 0x5cffda983978 in g_markup_parse_context_parse glib/glib/gmarkup.c:1603:19
#4 0x5cffda944c55 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
#5 0x5cffda949cf1 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
#6 0x5cffda7f9730 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#7 0x5cffda7e49a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#8 0x5cffda7ea43f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#9 0x5cffda8156e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x7e0ccb446082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#11 0x5cffda7dcb8d in _start
```
This patch should address this issue properly. Please see the commit
message for more details.
Oliver Chang (1):
Fix heap-buffer-overflow in sdp_xml.c:compute_seq_size
src/sdp-xml.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--
2.51.0.rc0.205.g4a044479a3-goog
next reply other threads:[~2025-08-13 10:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-13 10:34 Oliver Chang [this message]
2025-08-13 10:34 ` [PATCH BlueZ v2 1/1] Fix heap-buffer-overflow in sdp_xml.c:compute_seq_size Oliver Chang
2025-08-13 10:49 ` Oliver Chang
2025-08-13 11:56 ` bluez.test.bot
2025-08-19 9:59 ` Oliver Chang
2025-08-19 14:30 ` [PATCH BlueZ v2 0/1] " patchwork-bot+bluetooth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250813103459.3690107-1-ochang@google.com \
--to=ochang@google.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=oss-fuzz-bugs@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.