* [PATCH BlueZ 0/1] Fix buffer overflow in sdp_xml_parse_uuid128
@ 2025-08-10 7:30 Oliver Chang
2025-08-10 7:30 ` [PATCH BlueZ 1/1] " Oliver Chang
2025-08-11 20:40 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
0 siblings, 2 replies; 4+ messages in thread
From: Oliver Chang @ 2025-08-10 7:30 UTC (permalink / raw)
To: linux-bluetooth; +Cc: oss-fuzz-bugs, Oliver Chang
This fixes a buffer overflow found by OSS-Fuzz. The ASan stacktrace for
this is:
```
=================================================================
==402==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7c960dd00030 at pc 0x59331ced5b8d bp 0x7fffedcc0c50 sp 0x7fffedcc0c48
WRITE of size 1 at 0x7c960dd00030 thread T0
#0 0x59331ced5b8c in sdp_xml_parse_uuid128 bluez/src/sdp-xml.c:128:17
#1 0x59331ced5b8c in sdp_xml_parse_uuid bluez/src/sdp-xml.c:146:9
#2 0x59331ced3529 in sdp_xml_parse_datatype bluez/src/sdp-xml.c:428:10
#3 0x59331ced3529 in element_start bluez/src/sdp-xml.c:498:32
#4 0x59331cf26628 in emit_start_element glib/glib/gmarkup.c:1010:5
#5 0x59331cf258d7 in g_markup_parse_context_parse glib/glib/gmarkup.c:1369:17
#6 0x59331ced1969 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
#7 0x59331ced8cc9 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
#8 0x59331ced1879 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#9 0x59331ced1675 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:0
#10 0x59331ced122d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
#11 0x7c961015c082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#12 0x59331cdf8a2d in _start
```
Oliver Chang (1):
Fix buffer overflow in sdp_xml_parse_uuid128
src/sdp-xml.c | 6 ++++++
1 file changed, 6 insertions(+)
--
2.50.1.703.g449372360f-goog
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH BlueZ 1/1] Fix buffer overflow in sdp_xml_parse_uuid128
2025-08-10 7:30 [PATCH BlueZ 0/1] Fix buffer overflow in sdp_xml_parse_uuid128 Oliver Chang
@ 2025-08-10 7:30 ` Oliver Chang
2025-08-10 8:51 ` bluez.test.bot
2025-08-11 20:40 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
1 sibling, 1 reply; 4+ messages in thread
From: Oliver Chang @ 2025-08-10 7:30 UTC (permalink / raw)
To: linux-bluetooth; +Cc: oss-fuzz-bugs, Oliver Chang
This was found by OSS-Fuzz.
This can be reproduced by running this input:
`<uuid value="111111111111111111111111111111111111">`
against the harness in
https://github.com/google/oss-fuzz/blob/master/projects/bluez/fuzz_xml.c
which just calls `sdp_xml_parse_record`.
`sdp_xml_parse_uuid` checks that the length of the string is 36 (32
digits + 4 '-' characters) prior to calling `sdp_xml_parse_uuid128`.
There's no check preventing this data from being 36 digits (with no
"-"), which leads to a buffer overflow in sdp_xml_parse_uuid128.
https://issues.oss-fuzz.com/issues/42534847
https://oss-fuzz.com/testcase-detail/5070205940531200
---
src/sdp-xml.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/sdp-xml.c b/src/sdp-xml.c
index 5efa62ab8..2fa8f28a0 100644
--- a/src/sdp-xml.c
+++ b/src/sdp-xml.c
@@ -125,10 +125,16 @@ static sdp_data_t *sdp_xml_parse_uuid128(const char *data)
buf[0] = data[i];
buf[1] = data[i + 1];
+ if (j >= sizeof(val.data))
+ return NULL;
+
val.data[j++] = strtoul(buf, 0, 16);
i += 2;
}
+ if (j != sizeof(val.data))
+ return NULL;
+
return sdp_data_alloc(SDP_UUID128, &val);
}
--
2.50.1.703.g449372360f-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: Fix buffer overflow in sdp_xml_parse_uuid128
2025-08-10 7:30 ` [PATCH BlueZ 1/1] " Oliver Chang
@ 2025-08-10 8:51 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2025-08-10 8:51 UTC (permalink / raw)
To: linux-bluetooth, ochang
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=989676
---Test result---
Test Summary:
CheckPatch PENDING 0.32 seconds
GitLint PENDING 0.30 seconds
BuildEll PASS 20.05 seconds
BluezMake PASS 2604.83 seconds
MakeCheck PASS 19.93 seconds
MakeDistcheck PASS 183.97 seconds
CheckValgrind PASS 236.11 seconds
CheckSmatch PASS 304.70 seconds
bluezmakeextell PASS 128.03 seconds
IncrementalBuild PENDING 0.23 seconds
ScanBuild PASS 907.12 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 0/1] Fix buffer overflow in sdp_xml_parse_uuid128
2025-08-10 7:30 [PATCH BlueZ 0/1] Fix buffer overflow in sdp_xml_parse_uuid128 Oliver Chang
2025-08-10 7:30 ` [PATCH BlueZ 1/1] " Oliver Chang
@ 2025-08-11 20:40 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2025-08-11 20:40 UTC (permalink / raw)
To: Oliver Chang; +Cc: linux-bluetooth, oss-fuzz-bugs
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sun, 10 Aug 2025 07:30:08 +0000 you wrote:
> This fixes a buffer overflow found by OSS-Fuzz. The ASan stacktrace for
> this is:
>
> ```
> =================================================================
> ==402==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7c960dd00030 at pc 0x59331ced5b8d bp 0x7fffedcc0c50 sp 0x7fffedcc0c48
> WRITE of size 1 at 0x7c960dd00030 thread T0
> #0 0x59331ced5b8c in sdp_xml_parse_uuid128 bluez/src/sdp-xml.c:128:17
> #1 0x59331ced5b8c in sdp_xml_parse_uuid bluez/src/sdp-xml.c:146:9
> #2 0x59331ced3529 in sdp_xml_parse_datatype bluez/src/sdp-xml.c:428:10
> #3 0x59331ced3529 in element_start bluez/src/sdp-xml.c:498:32
> #4 0x59331cf26628 in emit_start_element glib/glib/gmarkup.c:1010:5
> #5 0x59331cf258d7 in g_markup_parse_context_parse glib/glib/gmarkup.c:1369:17
> #6 0x59331ced1969 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
> #7 0x59331ced8cc9 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
> #8 0x59331ced1879 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
> #9 0x59331ced1675 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:0
> #10 0x59331ced122d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
> #11 0x7c961015c082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
> #12 0x59331cdf8a2d in _start
> ```
>
> [...]
Here is the summary with links:
- [BlueZ,1/1] Fix buffer overflow in sdp_xml_parse_uuid128
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=013b3431c58d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-11 20:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-10 7:30 [PATCH BlueZ 0/1] Fix buffer overflow in sdp_xml_parse_uuid128 Oliver Chang
2025-08-10 7:30 ` [PATCH BlueZ 1/1] " Oliver Chang
2025-08-10 8:51 ` bluez.test.bot
2025-08-11 20:40 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox