OrgZephyr/zephyr
OrgZephyr
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr.git
1
0
Fork 0
Code Issues Releases Wiki Activity
zephyr/drivers
History
Sungwoo Kim 88de2711ca Bluetooth: userchan: fix buffer overflow in hci_packet_complete() 
hci_packet_complete(buf, buf_size) should check whether buf_size is
enough.
For instance, hci_packet_complete can receive buf with buf_size 1,
leading to the buffer overflow in cmd->param_len, which is buf[3].
This can happen when rx_thread() receives two frames in 512 bytes
and the first frame size is 511. Then, rx_thread() will call
hci_packet_complete() with 1.

==5==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000ad81c2 at pc 0x0000005279b3 bp 0x7fffe74f5b70 sp 0x7fffe74f5b68

READ of size 2 at 0x000000ad81c2 thread T6
    #0 0x5279b2  (/root/zephyr.exe+0x5279b2)
    #1 0x4d697d  (/root/zephyr.exe+0x4d697d)
    #2 0x7ffff60e5daa  (/lib/x86_64-linux-gnu/libc.so.6+0x89daa)
(BuildId: 2e01923fea4ad9f7fa50fe24e0f3385a45a6cd1c)

0x000000ad81c2 is located 2 bytes to the right of global variable
'rx_thread.frame' defined in 'zephyr/drivers/bluetooth/hci/userchan.c'
(0xad7fc0) of size 512
SUMMARY: AddressSanitizer: global-buffer-overflow
(/root/zephyr.exe+0x5279b2)
Thread T6 created by T2 here:
    #0 0x48c17c  (/root/zephyr.exe+0x48c17c)
    #1 0x530192  (/root/zephyr.exe+0x530192)
    #2 0x4dcc22  (/root/zephyr.exe+0x4dcc22)

Thread T2 created by T1 here:
    #0 0x48c17c  (/root/zephyr.exe+0x48c17c)
    #1 0x530192  (/root/zephyr.exe+0x530192)
    #2 0x4dcc22  (/root/zephyr.exe+0x4dcc22)

Thread T1 created by T0 here:
    #0 0x48c17c  (/root/zephyr.exe+0x48c17c)
    #1 0x52f36c  (/root/zephyr.exe+0x52f36c)
    #2 0x5371dc  (/root/zephyr.exe+0x5371dc)
    #3 0x5312a6  (/root/zephyr.exe+0x5312a6)
    #4 0x52ed7b  (/root/zephyr.exe+0x52ed7b)
    #5 0x52eddd  (/root/zephyr.exe+0x52eddd)
    #6 0x7ffff6083c89  (/lib/x86_64-linux-gnu/libc.so.6+0x27c89)
(BuildId: 2e01923fea4ad9f7fa50fe24e0f3385a45a6cd1c)

==5==ABORTING

Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
 		2024-10-25 13:54:36 +02:00
..
adc drivers: adc: nrfx_saadc: Use CONFIG_NRF_PLATFORM_HALTIUM 2024-10-24 16:55:44 +01:00
audio drivers: audio: dmic: Add support for multiple nrf PDM instances 2024-10-18 08:19:01 -04:00
auxdisplay
bbram
bluetooth Bluetooth: userchan: fix buffer overflow in hci_packet_complete() 2024-10-25 13:54:36 +02:00
cache drivers: cache: Enable LINEADDR workaround on nRF54H20 EngB 2024-10-24 16:55:44 +01:00
can drivers: can: initial support for Renesas RA CANFD 2024-10-25 08:55:17 +02:00
charger
clock_control drivers: video: mipi_csi2rx: Set clocks according to pixel rate 2024-10-25 08:54:57 +02:00
comparator
console
coredump
counter drivers: counter: esp32: Clang run 2024-10-25 00:04:25 +01:00
crypto drivers: crypto: Add initial SiM3U1xx support 2024-10-24 17:52:05 +02:00
dac
dai drivers: dai: sai: support pm runtime operations 2024-10-17 10:48:38 -04:00
disk
display drivers: display: dummy: Enable config if `dummy-dc` device available 2024-10-24 14:07:11 +02:00
dma drivers: dma: si32: Prevent configuration of in-use DMA channel 2024-10-24 14:07:03 +02:00
dp dp: swdp_bitbang: fix unused variable build error 2024-10-11 17:04:38 -05:00
edac
eeprom
entropy
espi drivers: espi: npcx: support espi taf rpmc request 2024-10-17 09:44:39 +02:00
ethernet drivers: ethernet: eth_stm32_hal: Correct indentation 2024-10-24 22:04:21 +01:00
firmware boards: nxp: Removing CONFIG_PINCTRL from the boards defconfig 2024-10-15 19:09:45 -04:00
flash drivers: flash: flash_mcux_flexspi_nor: add IS25LP support 2024-10-23 09:06:19 +09:00
fpga sys: util: define bits per byte, nibble, and nibbles per byte 2024-10-15 19:05:06 +01:00
fuel_gauge
gnss
gpio drivers: i2c: add bus recovery 2024-10-22 20:40:29 +02:00
haptics
hwinfo
hwspinlock
i2c i2c: Fix default RTIO handler transactions 2024-10-22 18:29:34 -04:00
i2s drivers: i2s_mcux_sai: Clang format 2024-10-22 14:13:59 +02:00
i3c drivers: i3c: shell: fix argc count for setmrl 2024-10-21 18:52:15 -05:00
ieee802154 drivers: ieee802154_nrf5: support IEEE802154_SELECTIVE_TXCHANNEL 2024-10-22 14:04:33 +02:00
input drivers: input: gt911: always set INT pin during probe 2024-10-22 19:04:59 -04:00
interrupt_controller drivers: gicv3: add distributor safe configuration 2024-10-24 14:08:07 +02:00
ipm drivers: ipm: xlnx: fix AMD copyright 2024-10-14 13:03:48 +02:00
kscan
led
led_strip
lora drivers: lora: rylrxxx: Add stdio.h to resolve function prototypes 2024-10-15 04:09:56 -04:00
mbox drivers: mbox: rework andes mbox plic to leverage intc_plic driver 2024-10-23 16:53:13 +02:00
mdio drivers: mdio: add NXP i.MX NETC MDIO driver 2024-10-16 10:00:32 +02:00
memc drivers: memc: add memc_mcux_flexspi_aps6404l driver 2024-10-22 18:29:42 -04:00
mfd drivers: gpio: implement parallel mode in TLE9104 2024-10-17 15:38:45 -04:00
mipi_dbi boards: nxp: Removing CONFIG_PINCTRL from the boards defconfig 2024-10-15 19:09:45 -04:00
mipi_dsi drivers: dma: dma_mcux_smartdma: update interface to support custom FW 2024-10-15 04:10:50 -04:00
misc drivers: devmux: use int instead of ssize_t for select_get() 2024-10-21 18:48:18 -05:00
mm ace: mm: tlb: Check tlb translation enabled before flushing cache 2024-10-15 04:09:49 -04:00
modem modem_cellular: Add support for the Telit ME310G1 LTE modem 2024-10-17 09:46:09 +02:00
mspi drivers: mspi: fix incorrect DT macro used in controller emulator 2024-10-22 22:46:47 -04:00
net
pcie
peci ITE: it8xxx2: Remove CONFIG_PINCTRL from soc defconfig file 2024-10-15 13:52:55 +02:00
pinctrl drivers: pinctrl: mec5: Microchip MEC5 HAL based pinctrl driver 2024-10-24 14:07:31 +02:00
pm_cpu_ops
power_domain
ps2
ptp_clock boards: nxp: Removing CONFIG_PINCTRL from the boards defconfig 2024-10-15 19:09:45 -04:00
pwm drivers: pwm: nrf_sw: always default to yes 2024-10-24 03:47:23 +01:00
regulator regulator: cp9314: Drops B0 silicon support 2024-10-24 14:08:36 +02:00
reset
retained_mem drivers: retained_mem: nrf: align dependencies to nrf54h20 2024-10-18 08:17:53 -04:00
rtc
sdhc
sensor drivers: sensor: p3t1755: Driver for NXP digital temperature sensor 2024-10-25 08:53:56 +02:00
serial drivers: serial: ra_sci: add missing `break` in `callback_adapter` 2024-10-25 13:50:55 +02:00
sip_svc
smbus
spi drivers: spi: remove unused variables 2024-10-23 11:19:56 +02:00
stepper tests: drivers: stepper: stepper_api: test cb user_data 2024-10-22 22:46:26 -04:00
syscon
tee
timer drivers: timer: silabs: Add sleeptimer timer driver 2024-10-24 17:51:01 +02:00
usb drivers: usb: Use VREG only if present for NXP Kinetis usb 2024-10-25 05:11:44 +01:00
usb_c
video drivers: video: csi: Add NXP copyright 2024-10-25 08:54:57 +02:00
virtualization
w1 drivers: w1: Add MAX32xxx 1-Wire driver 2024-10-18 14:16:14 +02:00
watchdog drivers: watchdog: wdt_counter: Fix overflow warning 2024-10-24 17:51:08 +02:00
wifi modules: hostap: add 11k cmd support 2024-10-25 13:53:49 +02:00
xen
CMakeLists.txt
Kconfig