From: "Frédéric Danis" <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ] shared/gatt: Fix gatt-db buffer overflow for cloned db
Date: Tue, 16 Jun 2026 14:30:29 +0200 [thread overview]
Message-ID: <20260616123029.301362-1-frederic.danis@collabora.com> (raw)
On notify_service_changed() timeout, db_hash_update() is called but
for cloned db the last-handle has not been copied and only one slot is
allocated, ending in buffer overflow:
==288975==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000ac220 at pc 0x55f8b7e551bf bp 0x7ffcd6e9ddf0 sp 0x7ffcd6e9dde0
WRITE of size 8 at 0x5020000ac220 thread T0
#0 0x55f8b7e551be in gen_hash_m src/shared/gatt-db.c:415
#1 0x55f8b7e5d817 in gatt_db_service_foreach src/shared/gatt-db.c:1744
#2 0x55f8b7e5d817 in gatt_db_service_foreach src/shared/gatt-db.c:1722
#3 0x55f8b7e60c6c in foreach_service_in_range src/shared/gatt-db.c:1633
#4 0x55f8b7e60c6c in foreach_in_range src/shared/gatt-db.c:1656
#5 0x55f8b7dde002 in queue_foreach src/shared/queue.c:207
#6 0x55f8b7e5c435 in gatt_db_foreach_service_in_range src/shared/gatt-db.c:1698
#7 0x55f8b7e5c87c in db_hash_update src/shared/gatt-db.c:442
#8 0x55f8b7f15283 in timeout_callback src/shared/timeout-glib.c:25
#9 0x7fc1845154f1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e4f1) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#10 0x7fc18451445d (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d45d) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#11 0x7fc184573976 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc976) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#12 0x7fc184514f46 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5df46) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#13 0x55f8b7f157e8 in mainloop_run src/shared/mainloop-glib.c:65
#14 0x55f8b7f16116 in mainloop_run_with_signal src/shared/mainloop-notify.c:196
#15 0x55f8b7af46df in main src/main.c:1709
#16 0x7fc18382a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x7fc18382a28a in __libc_start_main_impl ../csu/libc-start.c:360
#18 0x55f8b7af68b4 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x6588b4) (BuildId: 89dc89ac5800f58cc305bae57a965b1185601a3e)
0x5020000ac220 is located 0 bytes after 16-byte region [0x5020000ac210,0x5020000ac220)
allocated by thread T0 here:
#0 0x7fc1846fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55f8b7ddf2b6 in util_malloc src/shared/util.c:46
---
src/shared/gatt-db.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
index 87cc61cf3..751d4c3da 100644
--- a/src/shared/gatt-db.c
+++ b/src/shared/gatt-db.c
@@ -330,6 +330,7 @@ struct gatt_db *gatt_db_clone(struct gatt_db *db)
return NULL;
queue_foreach(db->services, service_clone, clone);
+ clone->last_handle = db->last_handle;
return clone;
}
@@ -433,7 +434,7 @@ static bool db_hash_update(void *user_data)
db->hash_id = 0;
- if (gatt_db_isempty(db))
+ if (gatt_db_isempty(db) || !db->last_handle)
return false;
hash.iov = new0(struct iovec, db->last_handle + 1);
--
2.43.0
reply other threads:[~2026-06-16 12:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616123029.301362-1-frederic.danis@collabora.com \
--to=frederic.danis@collabora.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox