* [bluez/bluez] c84809: profiles/audio/bap.c: Fix heap-use-after-free in s...
@ 2025-12-23 13:59 Sarveshwar Bajaj
0 siblings, 0 replies; only message in thread
From: Sarveshwar Bajaj @ 2025-12-23 13:59 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1036073
Home: https://github.com/bluez/bluez
Commit: c84809f5efa39bd041680d16ee7d1134d0abd183
https://github.com/bluez/bluez/commit/c84809f5efa39bd041680d16ee7d1134d0abd183
Author: Sarveshwar Bajaj <sarveshwar.bajaj@nxp.com>
Date: 2025-12-23 (Tue, 23 Dec 2025)
Changed paths:
M profiles/audio/bap.c
Log Message:
-----------
profiles/audio/bap.c: Fix heap-use-after-free in setup_free()
Fix crash when removing or disconnecting a device with active broadcast
streams. AddressSanitizer reports a heap-use-after-free in
bt_bap_stream_get_state() called from release_stream() during
setup_free().
Detach frees BIS streams during teardown, but setup_free() still
unlocks and releases setup->stream afterwards, leaving a stale pointer
and triggering UAF. This can happen with multiple BIS streams since
each setup holds its own invalid reference.
Fix by skipping unlock/release in setup_free() and clearing
setup->stream to prevent further access.
Log:
ERROR: AddressSanitizer: heap-use-after-free on address
0x7c43a43e3458 at pc 0x572415a8603d bp 0x7ffcdef9b870 sp 0x7ffcdef9b860
READ of size 8 at 0x7c43a43e3458 thread T0
#0 0x572415a8603c in bt_bap_stream_get_state src/shared/bap.c:6386
#1 0x5724158f9d0a in release_stream profiles/audio/bap.c:951
#2 0x5724158fa10e in setup_free profiles/audio/bap.c:1121
#3 0x572415a293c1 in queue_remove_all src/shared/queue.c:341
#4 0x572415a29440 in queue_destroy src/shared/queue.c:60
#5 0x5724158f9464 in bap_data_free profiles/audio/bap.c:192
#6 0x5724158f9464 in bap_data_remove profiles/audio/bap.c:211
#7 0x5724159040e4 in bap_bcast_remove profiles/audio/bap.c:3821
#8 0x5724159a7eb9 in service_remove src/service.c:239
#9 0x5724159cfa49 in device_remove src/device.c:5489
#10 0x572415999889 in btd_adapter_remove_device src/adapter.c:1458
#11 0x5724159b99c7 in device_disappeared src/device.c:3854
#12 0x572415abcea5 in timeout_callback src/shared/timeout-glib.c:25
#13 0x7f63a58f9329 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68329)
#14 0x7f63a58f7de1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x66de1)
#15 0x7f63a59691f7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xd81f7)
#16 0x7f63a58f9156 in g_main_loop_run
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x68156)
#17 0x572415abd18d in mainloop_run src/shared/mainloop-glib.c:65
#18 0x572415abd9c4 in mainloop_run_with_signal
src/shared/mainloop-notify.c:196
#19 0x5724159ea378 in main src/main.c:1550
#20 0x7f63a562a577 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#21 0x7f63a562a63a in __libc_start_main_impl ../csu/libc-start.c:360
#22 0x57241587d464 in _start
(/home/workspace/bluez/src/bluetoothd+0x106464)
0x7c43a43e3458 is located 120 bytes inside of 160-byte region
[0x7c43a43e33e0,0x7c43a43e3480)
freed by thread T0 here:
#0 0x7f63a5b212ab in free
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x572415a710f4 in bap_stream_free src/shared/bap.c:1254
#2 0x572415a710f4 in bt_bap_stream_unref src/shared/bap.c:1337
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-12-23 13:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-23 13:59 [bluez/bluez] c84809: profiles/audio/bap.c: Fix heap-use-after-free in s Sarveshwar Bajaj
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).