[PATCH BlueZ] shared/bap: fix crash when setting initial metadata of a stream

[PATCH BlueZ] shared/bap: fix crash when setting initial metadata of a stream

[Pauli Virtanen]

bt_bap_stream_metadata() when stream is IDLE causes IDLE->IDLE
transition and crashes due to UAF. This occurs if SelectProperties
provides a Metadata.

Fix by not updating state if stream is IDLE.

Log:

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x7ca9d83ec448 thread T0
    #0 0x000000927dce in bt_bap_stream_metadata src/shared/bap.c:6525
    #1 0x00000056ae75 in setup_config profiles/audio/bap.c:1790
    #2 0x00000056b865 in bap_config_setup profiles/audio/bap.c:1831
0x7ca9d83ec448 is located 8 bytes inside of 160-byte region [0x7ca9d83ec440,0x7ca9d83ec4e0)
freed by thread T0 here:
    #0 0x7fc9da2e5beb in free.part.0 (/lib64/libasan.so.8+0xe5beb)
    #1 0x0000008e3481 in bap_stream_free src/shared/bap.c:1259
    #2 0x0000008e4586 in bt_bap_stream_unref src/shared/bap.c:1342
    #3 0x0000008e4b6e in bap_ucast_detach src/shared/bap.c:1366
    #4 0x0000008e6b63 in bap_stream_state_changed src/shared/bap.c:1496
    #5 0x0000008ec17d in bap_ucast_set_state src/shared/bap.c:1857
    #6 0x0000008e75e4 in stream_set_state src/shared/bap.c:1543
    #7 0x0000008f268c in stream_metadata src/shared/bap.c:2250
    #8 0x0000008f2801 in bap_ucast_metadata src/shared/bap.c:2274
    #9 0x000000927d3f in bt_bap_stream_metadata src/shared/bap.c:6523
---
 src/shared/bap.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 9b7395223..5a7d0af00 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2246,8 +2246,14 @@ static uint8_t stream_metadata(struct bt_bap_stream *stream, struct iovec *meta,
 	util_iov_free(stream->meta, 1);
 	stream->meta = util_iov_dup(meta, 1);
 
-	/* Force state change to the same state to update the metadata */
-	stream_set_state(stream, bt_bap_stream_get_state(stream));
+	switch (bt_bap_stream_get_state(stream)) {
+	case BT_BAP_STREAM_STATE_IDLE:
+		/* Initial metadata */
+		break;
+	default:
+		/* Force state change to the same state to update metadata */
+		stream_set_state(stream, bt_bap_stream_get_state(stream));
+	}
 
 	return 0;
 }
-- 
2.51.0

RE: [BlueZ] shared/bap: fix crash when setting initial metadata of a stream

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1010398

---Test result---

Test Summary:
CheckPatch                    PENDING   0.22 seconds
GitLint                       PENDING   0.26 seconds
BuildEll                      PASS      20.06 seconds
BluezMake                     PASS      2759.64 seconds
MakeCheck                     PASS      20.63 seconds
MakeDistcheck                 PASS      185.84 seconds
CheckValgrind                 PASS      235.65 seconds
CheckSmatch                   WARNING   306.49 seconds
bluezmakeextell               PASS      127.99 seconds
IncrementalBuild              PENDING   0.34 seconds
ScanBuild                     PASS      910.83 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ] shared/bap: fix crash when setting initial metadata of a stream

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 12 Oct 2025 02:29:39 +0300 you wrote:
> bt_bap_stream_metadata() when stream is IDLE causes IDLE->IDLE
> transition and crashes due to UAF. This occurs if SelectProperties
> provides a Metadata.
> 
> Fix by not updating state if stream is IDLE.
> 
> Log:
> 
> [...]

Here is the summary with links:
  - [BlueZ] shared/bap: fix crash when setting initial metadata of a stream
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=b3dd59987455

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html