[PATCH BlueZ] transport: fix crash when freeing transport

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ] transport: fix crash when freeing transport
@ 2024-06-17 17:11 Pauli Virtanen
  2024-06-17 19:00 ` [BlueZ] " bluez.test.bot
  2024-06-17 19:10 ` [PATCH BlueZ] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2024-06-17 17:11 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Pauli Virtanen

Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
    #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
    #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
    #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
    #3 0x7e0e99 in remove_interface gdbus/object.c:682
    #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
    #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
---
 profiles/audio/transport.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 0ce94bae3..922911cf3 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -220,9 +220,6 @@ void media_transport_destroy(struct media_transport *transport)
 	g_dbus_unregister_interface(btd_get_dbus_connection(), path,
 						MEDIA_TRANSPORT_INTERFACE);
 
-	if (transport->remote_endpoint)
-		g_free(transport->remote_endpoint);
-
 	g_free(path);
 }
 
@@ -1271,6 +1268,7 @@ static void media_transport_free(void *data)
 	if (transport->ops && transport->ops->destroy)
 		transport->ops->destroy(transport->data);
 
+	g_free(transport->remote_endpoint);
 	g_free(transport->configuration);
 	g_free(transport->path);
 	g_free(transport);
-- 
2.45.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [BlueZ] transport: fix crash when freeing transport
  2024-06-17 17:11 [PATCH BlueZ] transport: fix crash when freeing transport Pauli Virtanen
@ 2024-06-17 19:00 ` bluez.test.bot
  2024-06-17 19:10 ` [PATCH BlueZ] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2024-06-17 19:00 UTC (permalink / raw)
  To: linux-bluetooth, pav

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=862692

---Test result---

Test Summary:
CheckPatch                    PASS      0.47 seconds
GitLint                       PASS      0.36 seconds
BuildEll                      PASS      24.69 seconds
BluezMake                     PASS      1674.95 seconds
MakeCheck                     PASS      13.44 seconds
MakeDistcheck                 PASS      177.77 seconds
CheckValgrind                 PASS      250.71 seconds
CheckSmatch                   PASS      353.47 seconds
bluezmakeextell               PASS      119.23 seconds
IncrementalBuild              PASS      1393.84 seconds
ScanBuild                     PASS      1013.24 seconds



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH BlueZ] transport: fix crash when freeing transport
  2024-06-17 17:11 [PATCH BlueZ] transport: fix crash when freeing transport Pauli Virtanen
  2024-06-17 19:00 ` [BlueZ] " bluez.test.bot
@ 2024-06-17 19:10 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2024-06-17 19:10 UTC (permalink / raw)
  To: Pauli Virtanen; +Cc: linux-bluetooth

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 17 Jun 2024 20:11:53 +0300 you wrote:
> Fix UAF by freeing transport->remote_endpoint in media_transport_free,
> which also frees the struct (not in destroy after the struct is freed).
> 
> ERROR: AddressSanitizer: heap-use-after-free
> READ of size 8 at 0x508000022ab8 thread T0
>     #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
> ...
> freed by thread T0 here:
>     #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
>     #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
>     #3 0x7e0e99 in remove_interface gdbus/object.c:682
>     #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
>     #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
> 
> [...]

Here is the summary with links:
  - [BlueZ] transport: fix crash when freeing transport
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=87ad4c66b934

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-06-17 19:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-17 17:11 [PATCH BlueZ] transport: fix crash when freeing transport Pauli Virtanen
2024-06-17 19:00 ` [BlueZ] " bluez.test.bot
2024-06-17 19:10 ` [PATCH BlueZ] " patchwork-bot+bluetooth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.