[PATCH BlueZ] adapter: Fix bt_uuid

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash
@ 2026-01-20 16:36 Frédéric Danis
  2026-01-20 17:40 ` [BlueZ] " bluez.test.bot
  2026-01-22 16:20 ` [PATCH BlueZ] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Danis @ 2026-01-20 16:36 UTC (permalink / raw)
  To: linux-bluetooth

This is reproducible on Ubuntu 24.04, which enables libasan, by
calling org.bluez.AdminPolicySet1.SetServiceAllowList() method with
an array of UUIDs like ['110c','110e']:

bluetoothd[9975]: [:1.1435:method_call] > org.bluez.AdminPolicySet1.SetServiceAllowList [#468]
bluetoothd[9975]: plugins/admin.c:set_service_allowlist() sender :1.1435
=================================================================
==9975==ERROR: AddressSanitizer: unknown-crash on address 0x763aef383ee4 at pc 0x648113f85064 bp 0x7fffe4db4970 sp 0x7fffe4db4960
WRITE of size 16 at 0x763aef383ee4 thread T0
    #0 0x648113f85063 in bt_uuid16_to_uuid128 lib/bluetooth/uuid.c:35
    #1 0x648113f85063 in bt_uuid_to_uuid128 lib/bluetooth/uuid.c:73
    #2 0x648113e90459 in bt_uuid_hash src/adapter.c:3891
    #3 0x763af2700a5b in g_hash_table_add (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49a5b) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #4 0x648113fa7232 in queue_foreach src/shared/queue.c:207
    #5 0x648113eb69df in btd_adapter_set_allowed_uuids src/adapter.c:3924
    #6 0x648113cd6f11 in service_allowlist_set plugins/admin.c:165
    #7 0x648113cd8162 in set_service_allowlist plugins/admin.c:382
    #8 0x648113f97564 in process_message gdbus/object.c:293
    #9 0x763af2f6f553 in dbus_connection_dispatch (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x18553) (BuildId: 47829078e4267099473c6cf5f5742f16ccb2644d)
    #10 0x648113f86d47 in message_dispatch gdbus/mainloop.c:59
    #11 0x763af271440d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d40d) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #12 0x763af2773766  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc766) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #13 0x763af2714ef6 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5def6) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #14 0x6481140bf9d8 in mainloop_run src/shared/mainloop-glib.c:65
    #15 0x6481140c0306 in mainloop_run_with_signal src/shared/mainloop-notify.c:196
    #16 0x648113c93d58 in main src/main.c:1550
    #17 0x763af1a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #18 0x763af1a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #19 0x648113c96854 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x65d854) (BuildId: 4e2b98c227059c308efb311ffe5b023d60e142ac)

Address 0x763aef383ee4 is located in stack of thread T0 at offset 36 in frame
    #0 0x648113e903df in bt_uuid_hash src/adapter.c:3884

  This frame has 1 object(s):
    [32, 48) 'uuid_128' (line 3886) <== Memory access at offset 36 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: unknown-crash lib/bluetooth/uuid.c:35 in bt_uuid16_to_uuid128
Shadow bytes around the buggy address:
  0x763aef383c00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383c80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383d00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383d80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383e00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x763aef383e80: f5 f5 f5 f5 f5 f5 f5 f5 f1 f1 f1 f1[00]00 f3 f3
  0x763aef383f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef383f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
---
 src/adapter.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index a5de7cee1..b319594ae 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -3879,14 +3879,15 @@ static void add_uuid_to_uuid_set(void *data, void *user_data)
 static guint bt_uuid_hash(gconstpointer key)
 {
 	const bt_uuid_t *uuid = key;
-	uint64_t uuid_128[2];
+	bt_uuid_t my_uuid;
 
 	if (!uuid)
 		return 0;
 
-	bt_uuid_to_uuid128(uuid, (bt_uuid_t *)uuid_128);
+	bt_uuid_to_uuid128(uuid, &my_uuid);
 
-	return g_int64_hash(uuid_128) ^ g_int64_hash(uuid_128+1);
+	return g_int64_hash(&my_uuid.value.u128.data[0]) ^
+		g_int64_hash(&my_uuid.value.u128.data[8]);
 }
 
 static gboolean bt_uuid_equal(gconstpointer v1, gconstpointer v2)
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [BlueZ] adapter: Fix bt_uuid_hash() crash
  2026-01-20 16:36 [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash Frédéric Danis
@ 2026-01-20 17:40 ` bluez.test.bot
  2026-01-22 16:20 ` [PATCH BlueZ] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-01-20 17:40 UTC (permalink / raw)
  To: linux-bluetooth, frederic.danis

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1044781

---Test result---

Test Summary:
CheckPatch                    PENDING   0.45 seconds
GitLint                       PENDING   0.36 seconds
BuildEll                      PASS      19.88 seconds
BluezMake                     PASS      635.83 seconds
MakeCheck                     PASS      18.57 seconds
MakeDistcheck                 PASS      240.61 seconds
CheckValgrind                 PASS      293.42 seconds
CheckSmatch                   PASS      349.61 seconds
bluezmakeextell               PASS      181.30 seconds
IncrementalBuild              PENDING   0.66 seconds
ScanBuild                     PASS      1014.90 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash
  2026-01-20 16:36 [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash Frédéric Danis
  2026-01-20 17:40 ` [BlueZ] " bluez.test.bot
@ 2026-01-22 16:20 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-01-22 16:20 UTC (permalink / raw)
  To: =?utf-8?b?RnLDqWTDqXJpYyBEYW5pcyA8ZnJlZGVyaWMuZGFuaXNAY29sbGFib3JhLmNvbT4=?=
  Cc: linux-bluetooth

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 20 Jan 2026 17:36:14 +0100 you wrote:
> This is reproducible on Ubuntu 24.04, which enables libasan, by
> calling org.bluez.AdminPolicySet1.SetServiceAllowList() method with
> an array of UUIDs like ['110c','110e']:
> 
> bluetoothd[9975]: [:1.1435:method_call] > org.bluez.AdminPolicySet1.SetServiceAllowList [#468]
> bluetoothd[9975]: plugins/admin.c:set_service_allowlist() sender :1.1435
> =================================================================
> ==9975==ERROR: AddressSanitizer: unknown-crash on address 0x763aef383ee4 at pc 0x648113f85064 bp 0x7fffe4db4970 sp 0x7fffe4db4960
> WRITE of size 16 at 0x763aef383ee4 thread T0
>     #0 0x648113f85063 in bt_uuid16_to_uuid128 lib/bluetooth/uuid.c:35
>     #1 0x648113f85063 in bt_uuid_to_uuid128 lib/bluetooth/uuid.c:73
>     #2 0x648113e90459 in bt_uuid_hash src/adapter.c:3891
>     #3 0x763af2700a5b in g_hash_table_add (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49a5b) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
>     #4 0x648113fa7232 in queue_foreach src/shared/queue.c:207
>     #5 0x648113eb69df in btd_adapter_set_allowed_uuids src/adapter.c:3924
>     #6 0x648113cd6f11 in service_allowlist_set plugins/admin.c:165
>     #7 0x648113cd8162 in set_service_allowlist plugins/admin.c:382
>     #8 0x648113f97564 in process_message gdbus/object.c:293
>     #9 0x763af2f6f553 in dbus_connection_dispatch (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x18553) (BuildId: 47829078e4267099473c6cf5f5742f16ccb2644d)
>     #10 0x648113f86d47 in message_dispatch gdbus/mainloop.c:59
>     #11 0x763af271440d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d40d) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
>     #12 0x763af2773766  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc766) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
>     #13 0x763af2714ef6 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5def6) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
>     #14 0x6481140bf9d8 in mainloop_run src/shared/mainloop-glib.c:65
>     #15 0x6481140c0306 in mainloop_run_with_signal src/shared/mainloop-notify.c:196
>     #16 0x648113c93d58 in main src/main.c:1550
>     #17 0x763af1a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     #18 0x763af1a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
>     #19 0x648113c96854 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x65d854) (BuildId: 4e2b98c227059c308efb311ffe5b023d60e142ac)
> 
> [...]

Here is the summary with links:
  - [BlueZ] adapter: Fix bt_uuid_hash() crash
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=fdf82c79f8f3

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-22 16:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-20 16:36 [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash Frédéric Danis
2026-01-20 17:40 ` [BlueZ] " bluez.test.bot
2026-01-22 16:20 ` [PATCH BlueZ] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox