From: patchwork-bot+bluetooth@kernel.org
To: =?utf-8?b?RnLDqWTDqXJpYyBEYW5pcyA8ZnJlZGVyaWMuZGFuaXNAY29sbGFib3JhLmNvbT4=?=@aws-us-west-2-korg-oddjob-rhel9-1.codeaurora.org
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH BlueZ] shared/gatt: Fix gatt-db buffer overflow for cloned db
Date: Wed, 17 Jun 2026 14:10:06 +0000 [thread overview]
Message-ID: <178170540613.1639014.3496569475203817334.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <20260616123029.301362-1-frederic.danis@collabora.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 16 Jun 2026 14:30:29 +0200 you wrote:
> On notify_service_changed() timeout, db_hash_update() is called but
> for cloned db the last-handle has not been copied and only one slot is
> allocated, ending in buffer overflow:
>
> ==288975==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000ac220 at pc 0x55f8b7e551bf bp 0x7ffcd6e9ddf0 sp 0x7ffcd6e9dde0
> WRITE of size 8 at 0x5020000ac220 thread T0
> #0 0x55f8b7e551be in gen_hash_m src/shared/gatt-db.c:415
> #1 0x55f8b7e5d817 in gatt_db_service_foreach src/shared/gatt-db.c:1744
> #2 0x55f8b7e5d817 in gatt_db_service_foreach src/shared/gatt-db.c:1722
> #3 0x55f8b7e60c6c in foreach_service_in_range src/shared/gatt-db.c:1633
> #4 0x55f8b7e60c6c in foreach_in_range src/shared/gatt-db.c:1656
> #5 0x55f8b7dde002 in queue_foreach src/shared/queue.c:207
> #6 0x55f8b7e5c435 in gatt_db_foreach_service_in_range src/shared/gatt-db.c:1698
> #7 0x55f8b7e5c87c in db_hash_update src/shared/gatt-db.c:442
> #8 0x55f8b7f15283 in timeout_callback src/shared/timeout-glib.c:25
> #9 0x7fc1845154f1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e4f1) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
> #10 0x7fc18451445d (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d45d) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
> #11 0x7fc184573976 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc976) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
> #12 0x7fc184514f46 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5df46) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
> #13 0x55f8b7f157e8 in mainloop_run src/shared/mainloop-glib.c:65
> #14 0x55f8b7f16116 in mainloop_run_with_signal src/shared/mainloop-notify.c:196
> #15 0x55f8b7af46df in main src/main.c:1709
> #16 0x7fc18382a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> #17 0x7fc18382a28a in __libc_start_main_impl ../csu/libc-start.c:360
> #18 0x55f8b7af68b4 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x6588b4) (BuildId: 89dc89ac5800f58cc305bae57a965b1185601a3e)
>
> [...]
Here is the summary with links:
- [BlueZ] shared/gatt: Fix gatt-db buffer overflow for cloned db
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=aa8d0a2b6841
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
prev parent reply other threads:[~2026-06-17 14:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 12:30 [PATCH BlueZ] shared/gatt: Fix gatt-db buffer overflow for cloned db Frédéric Danis
2026-06-17 14:10 ` patchwork-bot+bluetooth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178170540613.1639014.3496569475203817334.git-patchwork-notify@kernel.org \
--to=patchwork-bot+bluetooth@kernel.org \
--cc==?utf-8?b?RnLDqWTDqXJpYyBEYW5pcyA8ZnJlZGVyaWMuZGFuaXNAY29sbGFib3JhLmNvbT4=?=@aws-us-west-2-korg-oddjob-rhel9-1.codeaurora.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox