From: Bastien Nocera <hadess@hadess.net>
To: Oliver Chang <ochang@google.com>
Cc: linux-bluetooth@vger.kernel.org, oss-fuzz-bugs@google.com
Subject: Re: [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size`.
Date: Fri, 08 Aug 2025 16:08:40 +0200 [thread overview]
Message-ID: <af1e61baadba6d6d526f7b7310658342ad622012.camel@hadess.net> (raw)
In-Reply-To: <CAFqAZOJzuHn=hUO+xyZwQBh8u0mzABkDf3==imzxkQmj0czGhA@mail.gmail.com>
On Fri, 2025-08-08 at 21:45 +1000, Oliver Chang wrote:
> (Apologies for the noise, I'm new to this. One more attempt to resend
> this as text-only for those who have seen this email multiple times).
>
> Thank you for the feedback. The problem here is that there is a heap
> buffer overflow found by fuzzing with the following testcase:
>
> `<sequence><foo/><text/></sequence>`
>
> This causes the `compute_seq_size(ctx_data->stack_head->data);` to be
> called on `ctx_data->stack_head->data` that isn't a sequence type.
> This patch adds some type checks to guard against that.
>
> I don't believe a regression test using valgrind would catch this --
> we used AddressSanitizer to detect this.
I meant that there should be:
- a test for SDP XML
- valgrind run of that shows this specific memory being leaked (don't
need ASAN for that...)
- patch that fixes the leak with the section of the valgrind log
We don't need the memory leak itself to be regression tested, don't
think it's something that's easy to put in place right now.
> While fixing this, we also discovered a memory leak in the error
> handling path touched by the patch (` if
> (g_markup_parse_context_parse(ctx, data, size, NULL) == FALSE) `),
> which we included a fix for.
> Would it be better if we separated out the heap buffer overflow fix
> and the memory leak fix into 2 separate commits?
Separate commits would be useful.
next prev parent reply other threads:[~2025-08-08 14:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-08 1:34 [PATCH BlueZ 0/1] Fixed a buffer overflow found by OSS-Fuzz Oliver Chang
2025-08-08 1:34 ` [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size` Oliver Chang
2025-08-08 4:30 ` Fixed a buffer overflow found by OSS-Fuzz bluez.test.bot
2025-08-08 9:34 ` [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size` Bastien Nocera
[not found] ` <CAFqAZOL4iKjuxa=ubwFCGHyfgtuGBCW7F1US=1sYSoeWiMZpTg@mail.gmail.com>
2025-08-08 11:45 ` Oliver Chang
2025-08-08 14:08 ` Bastien Nocera [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-08-10 6:46 [PATCH BlueZ 0/1] *** Fixed heap-buffer-overflow in `compute_seq_size` *** Oliver Chang
2025-08-10 6:46 ` [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size` Oliver Chang
2025-08-10 7:22 ` Paul Menzel
2025-08-10 8:20 ` Oliver Chang
2025-08-10 20:20 ` Paul Menzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af1e61baadba6d6d526f7b7310658342ad622012.camel@hadess.net \
--to=hadess@hadess.net \
--cc=linux-bluetooth@vger.kernel.org \
--cc=ochang@google.com \
--cc=oss-fuzz-bugs@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox