* [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion @ 2026-03-19 13:25 Bastien Nocera 2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera 0 siblings, 1 reply; 4+ messages in thread From: Bastien Nocera @ 2026-03-19 13:25 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter Based on report by Wouter <wouter@xesxen.nl> Test case at: https://github.com/hadess/bluez/blob/wip/hadess/add-meson-ell-wrap/unit/integration-test.py#L258 Bastien Nocera (1): shared/shell: Fix crash on bluetoothctl command completion src/shared/shell.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.53.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH BlueZ 1/1] shared/shell: Fix crash on bluetoothctl command completion 2026-03-19 13:25 [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion Bastien Nocera @ 2026-03-19 13:25 ` Bastien Nocera 2026-03-19 13:30 ` Bastien Nocera 2026-03-19 15:02 ` bluez.test.bot 0 siblings, 2 replies; 4+ messages in thread From: Bastien Nocera @ 2026-03-19 13:25 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter Don't try to complete empty commands, leading to invalid reads and crashes. ==1430873== Invalid read of size 1 ==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941) ==1430873== by 0x435063: menu_completion (shell.c:1126) ==1430873== by 0x4352F0: shell_completion (shell.c:1177) ==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282) ==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) ==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) ==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693) ==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275) ==1430873== by 0x435E54: bt_shell_input_line (shell.c:309) ==1430873== by 0x436A34: watch_callback (io-glib.c:173) ==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565) ==1430873== by 0x490A322: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) ==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0 (gmain.c:4490) ==1430873== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==1516885== at 0x484A126: rindex (vg_replace_strmem.c:216) ==1516885== by 0x4353AA: submenu_completion (shell.c:1153) ==1516885== by 0x4353AA: shell_completion (shell.c:1187) ==1516885== by 0x4A2542B: gen_completion_matches (complete.c:1282) ==1516885== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) ==1516885== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) ==1516885== by 0x4A26ADF: readline_internal_char (readline.c:693) ==1516885== by 0x4A46CE4: rl_callback_read_char (callback.c:275) ==1516885== by 0x435E94: bt_shell_input_line (shell.c:309) ==1516885== by 0x436A74: watch_callback (io-glib.c:173) ==1516885== by 0x490A322: g_main_dispatch (gmain.c:3565) ==1516885== by 0x490A322: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) ==1516885== by 0x4913277: g_main_context_iterate_unlocked.isra.0 (gmain.c:4490) ==1516885== by 0x491351E: g_main_loop_run (gmain.c:4695) ==1516885== Address 0x0 is not stack'd, malloc'd or (recently) free'd Reported-by: Wouter <wouter@xesxen.nl> --- src/shared/shell.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/shared/shell.c b/src/shared/shell.c index b061f8001414..805f4b77016b 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct bt_shell_menu_entry *entry, { char **matches = NULL; + if (argc == 0) + return NULL; + for (; entry->cmd; entry++) { if (strcmp(entry->cmd, input_cmd)) continue; @@ -1146,6 +1149,8 @@ static char **submenu_completion(const char *text, int argc, char *input_cmd) if (data.main != data.menu) return NULL; + if (!input_cmd) + return NULL; cmd = strrchr(input_cmd, '.'); if (!cmd) -- 2.53.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 1/1] shared/shell: Fix crash on bluetoothctl command completion 2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera @ 2026-03-19 13:30 ` Bastien Nocera 2026-03-19 15:02 ` bluez.test.bot 1 sibling, 0 replies; 4+ messages in thread From: Bastien Nocera @ 2026-03-19 13:30 UTC (permalink / raw) To: linux-bluetooth; +Cc: Wouter On Thu, 2026-03-19 at 14:25 +0100, Bastien Nocera wrote: > Don't try to complete empty commands, leading to invalid reads and > crashes. I forgot to add Wouter's explanation on how to reproduce the bug. Let me know if I should send a v2 (probably next week). Cheers > > ==1430873== Invalid read of size 1 > ==1430873== at 0x484BC77: strcmp (vg_replace_strmem.c:941) > ==1430873== by 0x435063: menu_completion (shell.c:1126) > ==1430873== by 0x4352F0: shell_completion (shell.c:1177) > ==1430873== by 0x4A2542B: gen_completion_matches (complete.c:1282) > ==1430873== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) > ==1430873== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) > ==1430873== by 0x4A26ADF: readline_internal_char (readline.c:693) > ==1430873== by 0x4A46CE4: rl_callback_read_char (callback.c:275) > ==1430873== by 0x435E54: bt_shell_input_line (shell.c:309) > ==1430873== by 0x436A34: watch_callback (io-glib.c:173) > ==1430873== by 0x490A322: g_main_dispatch (gmain.c:3565) > ==1430873== by 0x490A322: > g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) > ==1430873== by 0x4913277: g_main_context_iterate_unlocked.isra.0 > (gmain.c:4490) > ==1430873== Address 0x0 is not stack'd, malloc'd or (recently) > free'd > > ==1516885== at 0x484A126: rindex (vg_replace_strmem.c:216) > ==1516885== by 0x4353AA: submenu_completion (shell.c:1153) > ==1516885== by 0x4353AA: shell_completion (shell.c:1187) > ==1516885== by 0x4A2542B: gen_completion_matches (complete.c:1282) > ==1516885== by 0x4A2E9CD: rl_complete_internal (complete.c:2104) > ==1516885== by 0x4A257C2: _rl_dispatch_subseq (readline.c:944) > ==1516885== by 0x4A26ADF: readline_internal_char (readline.c:693) > ==1516885== by 0x4A46CE4: rl_callback_read_char (callback.c:275) > ==1516885== by 0x435E94: bt_shell_input_line (shell.c:309) > ==1516885== by 0x436A74: watch_callback (io-glib.c:173) > ==1516885== by 0x490A322: g_main_dispatch (gmain.c:3565) > ==1516885== by 0x490A322: > g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4425) > ==1516885== by 0x4913277: g_main_context_iterate_unlocked.isra.0 > (gmain.c:4490) > ==1516885== by 0x491351E: g_main_loop_run (gmain.c:4695) > ==1516885== Address 0x0 is not stack'd, malloc'd or (recently) > free'd > > Reported-by: Wouter <wouter@xesxen.nl> > > --- > src/shared/shell.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/shared/shell.c b/src/shared/shell.c > index b061f8001414..805f4b77016b 100644 > --- a/src/shared/shell.c > +++ b/src/shared/shell.c > @@ -1122,6 +1122,9 @@ static char **menu_completion(const struct > bt_shell_menu_entry *entry, > { > char **matches = NULL; > > + if (argc == 0) > + return NULL; > + > for (; entry->cmd; entry++) { > if (strcmp(entry->cmd, input_cmd)) > continue; > @@ -1146,6 +1149,8 @@ static char **submenu_completion(const char > *text, int argc, char *input_cmd) > > if (data.main != data.menu) > return NULL; > + if (!input_cmd) > + return NULL; > > cmd = strrchr(input_cmd, '.'); > if (!cmd) ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: shared/shell: Fix crash on bluetoothctl command completion 2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera 2026-03-19 13:30 ` Bastien Nocera @ 2026-03-19 15:02 ` bluez.test.bot 1 sibling, 0 replies; 4+ messages in thread From: bluez.test.bot @ 2026-03-19 15:02 UTC (permalink / raw) To: linux-bluetooth, hadess [-- Attachment #1: Type: text/plain, Size: 1671 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1069297 ---Test result--- Test Summary: CheckPatch PENDING 0.41 seconds GitLint PENDING 0.41 seconds BuildEll PASS 21.01 seconds BluezMake PASS 651.40 seconds MakeCheck PASS 19.20 seconds MakeDistcheck PASS 249.49 seconds CheckValgrind PASS 297.12 seconds CheckSmatch WARNING 359.34 seconds bluezmakeextell PASS 185.96 seconds IncrementalBuild PENDING 0.42 seconds ScanBuild PASS 1010.58 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: CheckSmatch - WARNING Desc: Run smatch tool with source Output: src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h): ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: https://github.com/bluez/bluez/pull/1974/checks --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-19 15:02 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-19 13:25 [PATCH BlueZ 0/1] shared/shell: Fix crash on bluetoothctl command completion Bastien Nocera 2026-03-19 13:25 ` [PATCH BlueZ 1/1] " Bastien Nocera 2026-03-19 13:30 ` Bastien Nocera 2026-03-19 15:02 ` bluez.test.bot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox