Fix SIGBUS crash when copying data (159ff1a4) · Commits · e / os / android_packages_modules_Bluetooth

system/btif/include/btif_common.h

+17 −1

Original line number	Diff line number	Diff line
		@@ -43,6 +43,22 @@
		#define BTIF_SIG_CB_BIT (0x8000)
		#define BTIF_SIG_CB_START(id) (((id) << 8) \| BTIF_SIG_CB_BIT)

		/*
		* A memcpy(3) wrapper when copying memory that might not be aligned.
		*
		* On certain architectures, if the memcpy(3) arguments appear to be
		* pointing to aligned memory (e.g., struct pointers), the compiler might
		* generate optimized memcpy(3) code. However, if the original memory was not
		* aligned (e.g., because of incorrect "char *" to struct pointer casting),
		* the result code might trigger SIGBUS crash.
		*
		* As a short-term solution, we use the help of the maybe_non_aligned_memcpy()
		* macro to identify and fix such cases. In the future, we should fix the
		* problematic "char *" to struct pointer casting, and this macro itself should
		* be removed.
		*/
		#define maybe_non_aligned_memcpy(_a, _b, _c) memcpy((void *)(_a), (_b), (_c))

		/* BTIF sub-systems */
		#define BTIF_CORE 0
		#define BTIF_DM 1
		@@ -174,7 +190,7 @@ typedef struct

		/* parameters passed to callback */
		UINT16 event; /* message event id */
		char p_param[0]; /* parameter area needs to be last */
		char __attribute__ ((aligned)) p_param[]; /* parameter area needs to be last */
		} tBTIF_CONTEXT_SWITCH_CBACK;

+1 −1

Original line number	Diff line number	Diff line
		@@ -892,7 +892,7 @@ void btif_av_event_deep_copy(UINT16 event, char p_dest, char p_src)
		tBTA_AV av_dest = (tBTA_AV )p_dest;

		// First copy the structure
		memcpy(p_dest, p_src, sizeof(tBTA_AV));
		maybe_non_aligned_memcpy(av_dest, av_src, sizeof(*av_src));

		switch (event)
		{

+3 −3

Original line number	Diff line number	Diff line
		@@ -241,7 +241,7 @@ static void btif_dm_data_copy(uint16_t event, char dst, char src)
		return;

		assert(dst_dm_sec);
		memcpy(dst_dm_sec, src_dm_sec, sizeof(tBTA_DM_SEC));
		maybe_non_aligned_memcpy(dst_dm_sec, src_dm_sec, sizeof(*src_dm_sec));

		if (event == BTA_DM_BLE_KEY_EVT)
		{
		@@ -777,7 +777,7 @@ static void search_devices_copy_cb(UINT16 event, char p_dest, char p_src)
		return;

		BTIF_TRACE_DEBUG("%s: event=%s", __FUNCTION__, dump_dm_search_event(event));
		memcpy(p_dest_data, p_src_data, sizeof(tBTA_DM_SEARCH));
		maybe_non_aligned_memcpy(p_dest_data, p_src_data, sizeof(*p_src_data));
		switch (event)
		{
		case BTA_DM_INQ_RES_EVT:
		@@ -810,7 +810,7 @@ static void search_services_copy_cb(UINT16 event, char p_dest, char p_src)

		if (!p_src)
		return;
		memcpy(p_dest_data, p_src_data, sizeof(tBTA_DM_SEARCH));
		maybe_non_aligned_memcpy(p_dest_data, p_src_data, sizeof(*p_src_data));
		switch (event)
		{
		case BTA_DM_DISC_RES_EVT:

+2 −2

Original line number	Diff line number	Diff line
		@@ -313,7 +313,7 @@ static void btapp_gattc_req_data(UINT16 event, char p_dest, char p_src)
		return;

		// Copy basic structure first
		memcpy(p_dest_data, p_src_data, sizeof(tBTA_GATTC));
		maybe_non_aligned_memcpy(p_dest_data, p_src_data, sizeof(*p_src_data));

		// Allocate buffer for request data if necessary
		switch (event)
		@@ -1831,7 +1831,7 @@ static void btif_gattc_deep_copy(UINT16 event, char p_dest, char p_src)
		{
		const btif_adv_data_t src = (btif_adv_data_t) p_src;
		btif_adv_data_t dst = (btif_adv_data_t) p_dest;
		memcpy(dst, src, sizeof(*src));
		maybe_non_aligned_memcpy(dst, src, sizeof(*src));

		if (src->p_manufacturer_data)
		{

+1 −1

Original line number	Diff line number	Diff line
		@@ -124,7 +124,7 @@ static void btapp_gatts_copy_req_data(UINT16 event, char p_dest, char p_src)
		return;

		// Copy basic structure first
		memcpy(p_dest_data, p_src_data, sizeof(tBTA_GATTS));
		maybe_non_aligned_memcpy(p_dest_data, p_src_data, sizeof(*p_src_data));

		// Allocate buffer for request data if necessary
		switch (event)