Message ID | 20241101151939.Bluez.v3.1.Ia122d85386d6c2fc69f5b3d7ea7a7169f73756e4@changeid |
---|---|
State | Superseded |
Headers | show |
Series | [Bluez,v3] textfile: Fix possible bad memory access in find_key | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=905285 ---Test result--- Test Summary: CheckPatch PASS 0.38 seconds GitLint PASS 0.28 seconds BuildEll PASS 24.94 seconds BluezMake PASS 1647.13 seconds MakeCheck PASS 13.70 seconds MakeDistcheck PASS 180.49 seconds CheckValgrind PASS 255.74 seconds CheckSmatch PASS 359.28 seconds bluezmakeextell PASS 121.22 seconds IncrementalBuild PASS 1464.70 seconds ScanBuild PASS 1018.25 seconds --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluez.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Fri, 1 Nov 2024 15:19:39 +0800 you wrote: > From: Yun-Hao Chung <howardchung@google.com> > > If the searched key is a prefix of the first key in the textfile, > the code will assume it's not the first line which is wrong. > > The issue can be reproduced by a fuzzer. More context can be found in > https://issues.oss-fuzz.com/issues/42515619 > > [...] Here is the summary with links: - [Bluez,v3] textfile: Fix possible bad memory access in find_key https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=5573661fc2a3 You are awesome, thank you!
diff --git a/src/textfile.c b/src/textfile.c index 313098f38..8188d2ebe 100644 --- a/src/textfile.c +++ b/src/textfile.c @@ -127,10 +127,10 @@ static inline char *find_key(char *map, size_t size, const char *key, size_t len while (ptrlen > len + 1) { int cmp = (icase) ? strncasecmp(ptr, key, len) : strncmp(ptr, key, len); if (cmp == 0) { - if (ptr == map && *(ptr + len) == ' ') - return ptr; - - if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') && + if (ptr == map) { + if (*(ptr + len) == ' ') + return ptr; + } else if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') && *(ptr + len) == ' ') return ptr; }
From: Yun-Hao Chung <howardchung@google.com> If the searched key is a prefix of the first key in the textfile, the code will assume it's not the first line which is wrong. The issue can be reproduced by a fuzzer. More context can be found in https://issues.oss-fuzz.com/issues/42515619 To reproduce the issue, please kindly follow the instructions in https://google.github.io/oss-fuzz/advanced-topics/reproducing/ Stack trace: #0 0x55e1c450e7ce in find_key /src/bluez/src/textfile.c:133:9 #1 0x55e1c450e7ce in write_key /src/bluez/src/textfile.c:244:8 #2 0x55e1c450dc33 in LLVMFuzzerTestOneInput /src/fuzz_textfile.c:61:3 (...trace in fuzzer) --- This is reproduced by https://issues.oss-fuzz.com/issues/42515619 Changes in v3: - Add fuzzer url to the commit message Changes in v2: - Add stack trace in commit message src/textfile.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)