From: Oliver Chang <ochang@google.com>
To: linux-bluetooth@vger.kernel.org
Cc: hadess@hadess.net, Oliver Chang <ochang@google.com>
Subject: [PATCH BlueZ 0/1] *** Fixed heap-buffer-overflow in `compute_seq_size` ***
Date: Sun, 10 Aug 2025 06:46:56 +0000 [thread overview]
Message-ID: <20250810064656.1810093-2-ochang@google.com> (raw)
The change from the last patch I submitted is the removal of the memory leak fix.
This patch focuses on fixing the buffer overflow.
This fixes an ASan crash discovered by OSS-Fuzz:
```
==402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000218 at pc 0x564763e67877 bp 0x7ffc1a9f92b0 sp 0x7ffc1a9f92a8
READ of size 4 at 0x502000000218 thread T0
#0 0x564763e67876 in compute_seq_size bluez/src/sdp-xml.c:62:21
#1 0x564763e67876 in element_end bluez/src/sdp-xml.c:548:42
#2 0x564763ea5416 in emit_end_element glib/glib/gmarkup.c:1045:5
#3 0x564763ea4978 in g_markup_parse_context_parse glib/glib/gmarkup.c:1603:19
#4 0x564763e65c55 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
#5 0x564763e6acf1 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
#6 0x564763d1a730 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#7 0x564763d059a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#8 0x564763d0b43f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#9 0x564763d366e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x79ed69692082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#11 0x564763cfdb8d in _start
```
Oliver Chang (1):
Fixed heap-buffer-overflow in `compute_seq_size`.
src/sdp-xml.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--
2.50.1.703.g449372360f-goog
next reply other threads:[~2025-08-10 6:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-10 6:46 Oliver Chang [this message]
2025-08-10 6:46 ` [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size` Oliver Chang
2025-08-10 7:22 ` Paul Menzel
2025-08-10 8:20 ` Oliver Chang
2025-08-10 20:20 ` Paul Menzel
2025-08-10 8:09 ` *** Fixed heap-buffer-overflow in `compute_seq_size` *** bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250810064656.1810093-2-ochang@google.com \
--to=ochang@google.com \
--cc=hadess@hadess.net \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox