[Bug 208409] New: segfault in bluetoothd on mouse pairing

[bugzilla-daemon@bugzilla.kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=208409

            Bug ID: 208409
           Summary: segfault in bluetoothd on mouse pairing
           Product: Drivers
           Version: 2.5
    Kernel Version: 5.4.49
          Hardware: Intel
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: david@aqwari.net
        Regression: No

Created attachment 290051
  --> https://bugzilla.kernel.org/attachment.cgi?id=290051&action=edit
output of bluetoothd -n -d

I have a "3D connexion cadmouse pro wireless" that reliably causes bluetoothd
to segfault whenever I try to pair it with my Dell XPS 13 (9350). Here is the
stack trace:

        #0  g_io_channel_unix_get_fd (channel=0x0) at ../glib/giounix.c:656
        #1  0x00005555555b68a3 in bt_io_get_type (io=<optimized out>,
gerr=0x7fffffffc2a0) at btio/btio.c:105
        #2  0x00005555555b88dc in bt_io_get (io=0x0, err=0x7fffffffc2a0,
opt1=BT_IO_OPT_SOURCE) at btio/btio.c:1513
        #3  0x00005555555a1e82 in report_map_read_cb (status=<optimized out>,
pdu=<optimized out>, plen=<optimized out>,
            user_data=<optimized out>) at profiles/input/hog-lib.c:992
        #4  0x00005555555b335c in read_blob_helper (status=0 '\000',
rpdu=<optimized out>, rlen=13,
            user_data=0x5555556d3eb0) at attrib/gatt.c:804
        #5  0x00005555555b44c6 in attrib_callback_result (opcode=<optimized
out>, pdu=0x5555556d5c01,
            length=<optimized out>, user_data=0x5555556c6880) at
attrib/gattrib.c:273
        #6  0x000055555560b950 in handle_rsp (att=0x5555556c4200,
opcode=<optimized out>, pdu=<optimized out>,
            pdu_len=<optimized out>) at src/shared/att.c:715
        #7  0x000055555560baed in can_read_data (io=<optimized out>,
user_data=0x5555556c4200) at src/shared/att.c:904
        #8  0x0000555555615429 in watch_callback (channel=<optimized out>,
cond=<optimized out>, user_data=<optimized out>)
            at src/shared/io-glib.c:170
        #9  0x00007ffff7ef9c1e in g_main_dispatch (context=0x555555689d30) at
../glib/gmain.c:3179
        #10 g_main_context_dispatch (context=context@entry=0x555555689d30) at
../glib/gmain.c:3844
        #11 0x00007ffff7ef9fd0 in g_main_context_iterate
(context=0x555555689d30, block=block@entry=1,
            dispatch=dispatch@entry=1, self=<optimized out>) at
../glib/gmain.c:3917
        #12 0x00007ffff7efa2a3 in g_main_loop_run (loop=0x55555568aee0) at
../glib/gmain.c:4111
        #13 0x00005555556159b1 in mainloop_run () at
src/shared/mainloop-glib.c:79
        #14 0x0000555555615db8 in mainloop_run_with_signal (func=<optimized
out>, user_data=0x0)
            at src/shared/mainloop-notify.c:201
        #15 0x00005555555ba6b5 in main (argc=<optimized out>, argv=<optimized
out>) at src/main.c:729

I stepped through a core dump with gdb. The mouse is sending a
BT_ATT_OP_READ_BLOB_RSP command. report_map_read_cb passes a NULL pointer to
g_attrib_get_channel here:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c?h=5.53&id=1524499483a3678951c0e3059b158836398c4e9b#n992
which is not checked before being dereferenced.

btmon trace to follow...

-- 
You are receiving this mail because:
You are the assignee for the bug.