public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash
@ 2026-01-20 16:36 Frédéric Danis
  2026-01-20 17:40 ` [BlueZ] " bluez.test.bot
  2026-01-22 16:20 ` [PATCH BlueZ] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Danis @ 2026-01-20 16:36 UTC (permalink / raw)
  To: linux-bluetooth

This is reproducible on Ubuntu 24.04, which enables libasan, by
calling org.bluez.AdminPolicySet1.SetServiceAllowList() method with
an array of UUIDs like ['110c','110e']:

bluetoothd[9975]: [:1.1435:method_call] > org.bluez.AdminPolicySet1.SetServiceAllowList [#468]
bluetoothd[9975]: plugins/admin.c:set_service_allowlist() sender :1.1435
=================================================================
==9975==ERROR: AddressSanitizer: unknown-crash on address 0x763aef383ee4 at pc 0x648113f85064 bp 0x7fffe4db4970 sp 0x7fffe4db4960
WRITE of size 16 at 0x763aef383ee4 thread T0
    #0 0x648113f85063 in bt_uuid16_to_uuid128 lib/bluetooth/uuid.c:35
    #1 0x648113f85063 in bt_uuid_to_uuid128 lib/bluetooth/uuid.c:73
    #2 0x648113e90459 in bt_uuid_hash src/adapter.c:3891
    #3 0x763af2700a5b in g_hash_table_add (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49a5b) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #4 0x648113fa7232 in queue_foreach src/shared/queue.c:207
    #5 0x648113eb69df in btd_adapter_set_allowed_uuids src/adapter.c:3924
    #6 0x648113cd6f11 in service_allowlist_set plugins/admin.c:165
    #7 0x648113cd8162 in set_service_allowlist plugins/admin.c:382
    #8 0x648113f97564 in process_message gdbus/object.c:293
    #9 0x763af2f6f553 in dbus_connection_dispatch (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x18553) (BuildId: 47829078e4267099473c6cf5f5742f16ccb2644d)
    #10 0x648113f86d47 in message_dispatch gdbus/mainloop.c:59
    #11 0x763af271440d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d40d) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #12 0x763af2773766  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc766) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #13 0x763af2714ef6 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5def6) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #14 0x6481140bf9d8 in mainloop_run src/shared/mainloop-glib.c:65
    #15 0x6481140c0306 in mainloop_run_with_signal src/shared/mainloop-notify.c:196
    #16 0x648113c93d58 in main src/main.c:1550
    #17 0x763af1a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #18 0x763af1a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #19 0x648113c96854 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x65d854) (BuildId: 4e2b98c227059c308efb311ffe5b023d60e142ac)

Address 0x763aef383ee4 is located in stack of thread T0 at offset 36 in frame
    #0 0x648113e903df in bt_uuid_hash src/adapter.c:3884

  This frame has 1 object(s):
    [32, 48) 'uuid_128' (line 3886) <== Memory access at offset 36 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: unknown-crash lib/bluetooth/uuid.c:35 in bt_uuid16_to_uuid128
Shadow bytes around the buggy address:
  0x763aef383c00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383c80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383d00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383d80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x763aef383e00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x763aef383e80: f5 f5 f5 f5 f5 f5 f5 f5 f1 f1 f1 f1[00]00 f3 f3
  0x763aef383f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef383f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x763aef384100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
---
 src/adapter.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index a5de7cee1..b319594ae 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -3879,14 +3879,15 @@ static void add_uuid_to_uuid_set(void *data, void *user_data)
 static guint bt_uuid_hash(gconstpointer key)
 {
 	const bt_uuid_t *uuid = key;
-	uint64_t uuid_128[2];
+	bt_uuid_t my_uuid;
 
 	if (!uuid)
 		return 0;
 
-	bt_uuid_to_uuid128(uuid, (bt_uuid_t *)uuid_128);
+	bt_uuid_to_uuid128(uuid, &my_uuid);
 
-	return g_int64_hash(uuid_128) ^ g_int64_hash(uuid_128+1);
+	return g_int64_hash(&my_uuid.value.u128.data[0]) ^
+		g_int64_hash(&my_uuid.value.u128.data[8]);
 }
 
 static gboolean bt_uuid_equal(gconstpointer v1, gconstpointer v2)
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-01-22 16:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-20 16:36 [PATCH BlueZ] adapter: Fix bt_uuid_hash() crash Frédéric Danis
2026-01-20 17:40 ` [BlueZ] " bluez.test.bot
2026-01-22 16:20 ` [PATCH BlueZ] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox