git tags #1

dlech · 2019-12-27T15:51:00Z

Thank you whoever is maintaining this. 😄 Could you also push git tags to GitHub? It is useful to see which releases commits are included in.

Vudentz · 2020-01-29T01:37:17Z

Done.

bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23 Program received signal SIGSEGV, Segmentation fault. write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 793 util_debug(server->debug_callback, server->debug_data, (gdb) bt #0 write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 #1 0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162 #2 0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879 #3 0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34 #4 0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705 #5 0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216 #6 g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881 #7 0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954 #8 0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148 #9 0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79 #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201 #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770

Codec capabilities wern't properly decoded due to wrong offset < HCI Command: Read Local Supported Codec Capabilities (0x04|0x000e) plen 7 Codec: A-law log (0x01) Logical Transport Type: 0x01 Codec supported over BR/EDR ACL Direction: Input (Host to Controller) (0x00) > HCI Event: Command Complete (0x0e) plen 18 Read Local Supported Codec Capabilities (0x04|0x000e) ncmd 1 Status: Success (0x00) Number of codec capabilities: 3 Capabilities #0: aa bb cc dd .... Capabilities #1: 11 22 33 44 55 ."3DU Capabilities #2: ff .

The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]

This patch fixes the out-of-bounds array access caught by the ASAN. monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]' ================================================================= ==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978 WRITE of size 9 at 0x7fe2d271a542 thread T0 #0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692 #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771 #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247 #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312 #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638 #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967 #7 0x7fe2d230b285 in data_callback monitor/control.c:973 #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106 #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #10 0x7fe2d230324a in main monitor/main.c:290 #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d) 0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384 0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) ... ==4180==ABORTING

This fixes the following error for invalid read access when registering filter for incoming messages: 140632==ERROR: AddressSanitizer: stack-buffer-overflow on address... #0 0x7f60c185741d in MemcmpInterceptorCommon(... #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so... #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494 #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517 #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506 #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885 #6 0x55a101086f64 in send_reply mesh/dbus.c:153 #7 0x55a101124c3d in handle_method_return ell/dbus.c:216 #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276 #9 0x55a1010dae20 in io_callback ell/io.c:120 #10 0x55a1010dff7e in l_main_iterate ell/main.c:478 #11 0x55a1010e06e3 in l_main_run ell/main.c:525 #12 0x55a1010e06e3 in l_main_run ell/main.c:507 #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647 #14 0x55a10100316e in main mesh/main.c:292 #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+... #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+... #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...

This decodes the LTV fields of Basic Audio Announcements: < HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 41 Handle: 0 Operation: Complete ext advertising data (0x03) Data length: 0x26 Service Data: Basic Audio Announcement (0x1851) Presetation Delay: 40000 Number of Subgroups: 1 Subgroup #0: Number of BIS(s): 1 Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration #1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration #2: len 0x05 type 0x03 Codec Specific Configuration: 01000000 Codec Specific Configuration #3: len 0x03 type 0x04 Codec Specific Configuration: 2800 Metadata #0: len 0x03 type 0x02 Metadata: 0200 BIS #0: Index: 1 Codec Specific Configuration:

This adds decoding support for PAC Sink/Source attributes: < ACL Data TX: Handle 42 flags 0x00 dlen 9 Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Request (0x0a) len 2 Handle: 0x0017 Type: Sink PAC (0x2bc9) > ACL Data RX: Handle 42 flags 0x02 dlen 31 Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} Value: 010600000000100301ff0002020302030305041e00f00000 Number of PAC(s): 1 PAC #0: Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x03 type 0x01 Codec Specific Configuration: ff00 Codec Specific Configuration bluez#1: len 0x02 type 0x02 Codec Specific Configuration: 03 Codec Specific Configuration bluez#2: len 0x02 type 0x03 Codec Specific Configuration: 03 Codec Specific Configuration bluez#3: len 0x05 type 0x04 Codec Specific Configuration: 1e00f000

This adds decoding support for ASE Sink/Source attributes: > ACL Data RX: Handle 42 flags 0x02 dlen 9 Channel: 65 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Request (0x0a) len 2 Handle: 0x002a Type: Sink ASE (0x2bc4) < ACL Data TX: Handle 42 flags 0x00 dlen 9 Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Response (0x0b) len 2 Value: 0300 ASE ID: 1 State: Idle (0x00) < ACL Data TX: Handle 42 flags 0x00 dlen 55 Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 48 Length: 0x0023 Handle: 0x0024 Type: Sink ASE (0x2bc4) Data: 01010000000a00204e00409c00204e00409c0006000000000a02010302020103042800 ASE ID: 1 State: Codec Configured (0x01) Framing: Unframed PDUs supported (0x00) PHY: 0x00 RTN: 0 Max Transport Latency: 10 Presentation Delay Min: 20000 us Presentation Delay Max: 40000 us Preferred Presentation Delay Min: 20000 us Preferred Presentation Delay Max: 40000 us Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration bluez#1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration bluez#2: len 0x03 type 0x04 Codec Specific Configuration: 2800 < ACL Data TX: Handle 42 flags 0x00 dlen 37 Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 30 Length: 0x0011 Handle: 0x0024 Type: Sink ASE (0x2bc4) Data: 0102000010270000022800020a00409c00 ASE ID: 1 State: QoS Configured (0x02) CIG ID: 0x00 CIS ID: 0x00 SDU Interval: 10000 usec Framing: Unframed (0x00) PHY: 0x02 LE 2M PHY (0x02) Max SDU: 40 RTN: 2 Max Transport Latency: 10 Presentation Delay: 40000 us < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03030000060304030202000000 ASE ID: 3 State: Enabling (0x03) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata bluez#1: len 0x02 type 0x00 < ACL Data TX: Handle 42 flags 0x00 dlen 39 Channel: 64 len 35 sdu 33 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 32 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03040000060304030202000000 ASE ID: 3 State: Streaming (0x04) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata bluez#1: len 0x02 type 0x00 < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03050000060304030202000000 ASE ID: 3 State: Disabling (0x05) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata bluez#1: len 0x02 type 0x00

This adds decoding support for ASE Control Point attribute: > ACL Data RX: Handle 42 flags 0x02 dlen 30 Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 23 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 010103020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration bluez#1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration bluez#2: len 0x03 type 0x04 Codec Specific Configuration: 2800 < ACL Data TX: Handle 42 flags 0x00 dlen 55 Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 48 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0101030000 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 27 Channel: 64 len 23 sdu 21 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 20 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 020103000010270000022800020a00409c00 Opcode: QoS Configuration (0x02) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 CIG ID: 0x00 CIS ID: 0x00 SDU Interval: 10000 usec Framing: Unframed (0x00) PHY: 0x02 LE 2M PHY (0x02) Max SDU: 40 RTN: 2 Max Transport Latency: 10 Presentation Delay: 40000 us < ACL Data TX: Handle 42 flags 0x00 dlen 37 Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 30 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0201030000 Opcode: QoS Configuration (0x02) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 17 Channel: 64 len 13 sdu 11 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 10 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0301030403020200 Opcode: Enable (0x03) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 Metadata #0: len 0x03 type 0x02 Metadata: 0200 < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0301030000 Opcode: Enable (0x03) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 12 Channel: 64 len 8 sdu 6 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Write Command (0x52) len 5 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 050101 Opcode: Disable (0x05) Number of ASE(s): 1

This adds decoding support for PAC/ASE attributes: > ACL Data RX: Handle 42 flags 0x02 dlen 31 Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Read Response (0x0b) len 24 Value: 010600000000100301ff0002020302030305041e00f00000 Number of PAC(s): 1 PAC #0: Codec: LC3 (0x06) Codec Specific Capabilities #0: len 0x03 type 0x01 Sampling Frequencies: 0x00ff 8 Khz (0x0001) 11.25 Khz (0x0002) 16 Khz (0x0004) 22.05 Khz (0x0008) 24 Khz (0x0010) 32 Khz (0x0020) 44.1 Khz (0x0040) 48 Khz (0x0080) Codec Specific Capabilities #1: len 0x02 type 0x02 Frame Duration: 0x0003 7.5 ms (0x01) 10 ms (0x02) Codec Specific Capabilities #2: len 0x02 type 0x03 Audio Channel Count: 0x03 1 channel (0x01) 2 channels (0x02) Codec Specific Capabilities #3: len 0x05 type 0x04 Frame Length: 30 (0x001e) - 240 (0x00f0) > ACL Data RX: Handle 42 flags 0x02 dlen 30 Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Write Command (0x52) len 23 Handle: 0x0036 Type: ASE Control Point (0x2bc6) Data: 010101020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration #2: len 0x03 type 0x04 Frame Length: 40 (0x0028)

If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 bluez#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 bluez#2 0x51a7c8 in bap_config profiles/audio/bap.c:584 bluez#3 0x71b907 in queue_foreach src/shared/queue.c:207 bluez#4 0x51b61f in select_cb profiles/audio/bap.c:626 bluez#5 0x4691ed in pac_select_cb profiles/audio/media.c:884 bluez#6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: bluez#457 (comment)

When grouping requests with the same opcode the code was queueing them without attempt to check that that would fit in the ATT MTU causing the following trace: stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp 0x7fffdba95020 sp 0x7fffdba947d0 WRITE of size 9 at 0x7fffdba951f0 thread T0 #0 0x7fc15fc49d20 in __interceptor_memcpy (/lib64/libasan.so.8+0x49d20) bluez#1 0x71f698 in util_iov_push_mem src/shared/util.c:266 bluez#2 0x7b9312 in append_group src/shared/bap.c:3424 bluez#3 0x71ba01 in queue_foreach src/shared/queue.c:207 bluez#4 0x7b9b66 in bap_send src/shared/bap.c:3459 bluez#5 0x7ba594 in bap_process_queue src/shared/bap.c:351 Fixes: bluez#457 (comment)

The following ASAN crash is observed when media endpoint is unregistered (stopping sound server) while streaming from remote BAP client: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8 READ of size 8 at 0x60b0000474d8 thread T0 #0 0x7a27c6 in stream_set_state src/shared/bap.c:1227 bluez#1 0x7aff61 in remove_streams src/shared/bap.c:2483 bluez#2 0x71d2d0 in queue_foreach src/shared/queue.c:207 bluez#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501 bluez#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179 ... 0x60b0000474d8 is located 8 bytes inside of 112-byte region freed by thread T0 here: #0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7a0504 in bap_stream_free src/shared/bap.c:972 bluez#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989 bluez#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208 bluez#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252 bluez#5 0x7ab18a in stream_release src/shared/bap.c:1985 bluez#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572 bluez#7 0x7aff50 in remove_streams src/shared/bap.c:2482 ... previously allocated by thread T0 here: #0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af) bluez#1 0x71e9ae in util_malloc src/shared/util.c:43 bluez#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766 bluez#3 0x7a4863 in ep_config src/shared/bap.c:1446 bluez#4 0x7a4f22 in ascs_config src/shared/bap.c:1481 ... When stream->client is false, bt_bap_stream_release already sets the stream to idle and frees it. Fix the crash by not setting the state to idle for the second time, in this case.

When the type of basic value is double, can't using void *value as buffer to get value. ==3263760==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xefe13c30 at pc 0x577c0356 bp 0xefe139b8 sp 0xefe139a8 WRITE of size 8 at 0xefe13c30 thread T0 #0 0x577c0355 in _dbus_marshal_read_basic dbus/dbus/dbus-marshal-basic.c:581 bluez#1 0x5783bedb in _dbus_type_reader_read_basic dbus/dbus/dbus-marshal-recursive.c:879 bluez#2 0x5776ef72 in dbus_message_iter_get_basic dbus/dbus/dbus-message.c:2376 bluez#3 0x57e06daa in iter_append_iter gdbus/client.c:222 bluez#4 0x57e070b1 in prop_entry_update gdbus/client.c:265 bluez#5 0x57e07454 in prop_entry_new gdbus/client.c:286 bluez#6 0x57e0793a in add_property gdbus/client.c:322

Several types of use-after-free crashes can be found by making BAP sound server delay its SetConfiguration response (eg. debugger breakpoint), and disconnecting the device while bluetoothd waits for SetConfiguration response. One of these occurs in media.c:pac_clear ==5070==ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 ... which crashes trying to address the path string stored in bt_bap_stream user data, which has been freed eg. via freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... or freed by thread T0 here: #0 0x7ff2b2ab9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x51b1fe in ep_free profiles/audio/bap.c:513 bluez#2 0x704cfa in remove_interface gdbus/object.c:660 bluez#3 0x70b439 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x516d6d in ep_unregister profiles/audio/bap.c:102 bluez#5 0x522bd1 in ep_remove profiles/audio/bap.c:1352 bluez#6 0x71e06a in queue_remove_if src/shared/queue.c:279 bluez#7 0x71e69e in queue_remove_all src/shared/queue.c:321 bluez#8 0x522d00 in bap_disconnect profiles/audio/bap.c:1362 ... The cause is that the path string is owned either by media transports or media endpoints, and their lifetime does not necessarily match that of the BAP stream, so that the user data may already be freed when pac_clear is entered. Fix the crash in pac_clear by matching the transports by their stream pointer, not using the potentially invalid user data, following the unmerged v3 version of the problematic patch. Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 bluez#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 bluez#2 0x51a7c8 in bap_config profiles/audio/bap.c:584 bluez#3 0x71b907 in queue_foreach src/shared/queue.c:207 bluez#4 0x51b61f in select_cb profiles/audio/bap.c:626 bluez#5 0x4691ed in pac_select_cb profiles/audio/media.c:884 bluez#6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: bluez#457 (comment)

When grouping requests with the same opcode the code was queueing them without attempt to check that that would fit in the ATT MTU causing the following trace: stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp 0x7fffdba95020 sp 0x7fffdba947d0 WRITE of size 9 at 0x7fffdba951f0 thread T0 #0 0x7fc15fc49d20 in __interceptor_memcpy (/lib64/libasan.so.8+0x49d20) bluez#1 0x71f698 in util_iov_push_mem src/shared/util.c:266 bluez#2 0x7b9312 in append_group src/shared/bap.c:3424 bluez#3 0x71ba01 in queue_foreach src/shared/queue.c:207 bluez#4 0x7b9b66 in bap_send src/shared/bap.c:3459 bluez#5 0x7ba594 in bap_process_queue src/shared/bap.c:351 Fixes: bluez#457 (comment)

It seems like some implementation of vasprintf set the content of the str to NULL rather then returning -1 causing the following errors: ================================================================= ==216204==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x55e787722cf0 in thread T0 #0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o #1 0x55e7850e55f9 in bt_log_vprintf /usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2 #2 0x55e78502db18 in monitor_log /usr/src/debug/bluez-git/bluez-git/src/log.c:40:2 #3 0x55e78502dab4 in info /usr/src/debug/bluez-git/bluez-git/src/log.c:52:2 #4 0x55e78502e314 in __btd_log_init /usr/src/debug/bluez-git/bluez-git/src/log.c:179:2 #5 0x55e78502aa63 in main /usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2 #6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #7 0x7f1d5fe27d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #8 0x55e784e88084 in _start (/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId: 19348ea642303b701c033d773055becb623fe79a) Address 0x55e787722cf0 is a wild pointer inside of access range of size 0x000000000001. SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in __interceptor_free.part.0 ==216204==ABORTING сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process exited, code=exited, status=1/FAILURE

Primary/Secundary Counters are supposed to be 16 bytes values, if the server has implemented them incorrectly it may lead to the following crash: ================================================================= ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 READ of size 48 at 0x607000001878 thread T0 #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #13 0x564df6977d41 in main obexd/src/main.c:307 #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) allocated by thread T0 here: #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259

ASCS allows transitions from Codec/QoS Configured back to the same state. E.g. NRF5340_AUDIO devkit starts in the config(1) state, which is allowed (only Config QoS, Release, Enable, Receiver Stop Ready transition are client-only). In this case, as client, we do Config Codec ourselves and end up with config(1)->config(1) transition. We currently ignore that event, so QoS won't be setup and transports won't be created. Handle the config(1)->config(1) transition by continuing to Config QoS if it occurs. Log: src/gatt-client.c:btd_gatt_client_connected() Device connected. src/shared/gatt-client.c:exchange_mtu_cb() MTU exchange complete, with MTU: 65 src/shared/bap.c:bap_ep_set_status() ASE status: ep 0x604000039a90 id 0x01 handle 0x000f state config len 42 src/shared/bap.c:ep_status_config() codec 0x06 framing 0x00 phy 0x02 rtn 2 latency 10 pd 4000 - 40000 ppd 4000 - 40000 src/shared/bap.c:ep_status_config() Codec Config #0: type 0x01 len 2 src/shared/bap.c:ep_status_config() Codec Config bluez#1: type 0x02 len 2 src/shared/bap.c:ep_status_config() Codec Config bluez#2: type 0x03 len 5 src/shared/bap.c:ep_status_config() Codec Config bluez#3: type 0x04 len 3 src/shared/bap.c:ep_status_config() Codec Config bluez#4: type 0x05 len 2 src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: idle -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: idle(0) -> config(1) profiles/audio/bap.c:bap_ready() bap 0x60e000001d20 profiles/audio/bap.c:pac_found() lpac 0x608000017520 rpac 0x6080000183a0 profiles/audio/bap.c:ep_register() ep 0x60d000006910 lpac 0x608000017520 rpac 0x6080000183a0 path /org/bluez/hci0/dev_C9_C9_76_21_08_4F/pac_sink0 profiles/audio/media.c:media_endpoint_async_call() Calling SelectProperties: name = :1.604 path = /MediaEndpointLE/BAPSource/lc3 ... src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: config -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: config(1) -> config(1)

ASCS allows transitions from Codec/QoS Configured back to the same state. E.g. NRF5340_AUDIO devkit starts in the config(1) state, which is allowed (only Config QoS, Release, Enable, Receiver Stop Ready transition are client-only). In this case, as client, we do Config Codec ourselves and end up with config(1)->config(1) transition. We currently ignore that event, so QoS won't be setup and transports won't be created. Handle the config(1)->config(1) transition by continuing to Config QoS if it occurs. Log: src/gatt-client.c:btd_gatt_client_connected() Device connected. src/shared/gatt-client.c:exchange_mtu_cb() MTU exchange complete, with MTU: 65 src/shared/bap.c:bap_ep_set_status() ASE status: ep 0x604000039a90 id 0x01 handle 0x000f state config len 42 src/shared/bap.c:ep_status_config() codec 0x06 framing 0x00 phy 0x02 rtn 2 latency 10 pd 4000 - 40000 ppd 4000 - 40000 src/shared/bap.c:ep_status_config() Codec Config #0: type 0x01 len 2 src/shared/bap.c:ep_status_config() Codec Config #1: type 0x02 len 2 src/shared/bap.c:ep_status_config() Codec Config #2: type 0x03 len 5 src/shared/bap.c:ep_status_config() Codec Config #3: type 0x04 len 3 src/shared/bap.c:ep_status_config() Codec Config #4: type 0x05 len 2 src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: idle -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: idle(0) -> config(1) profiles/audio/bap.c:bap_ready() bap 0x60e000001d20 profiles/audio/bap.c:pac_found() lpac 0x608000017520 rpac 0x6080000183a0 profiles/audio/bap.c:ep_register() ep 0x60d000006910 lpac 0x608000017520 rpac 0x6080000183a0 path /org/bluez/hci0/dev_C9_C9_76_21_08_4F/pac_sink0 profiles/audio/media.c:media_endpoint_async_call() Calling SelectProperties: name = :1.604 path = /MediaEndpointLE/BAPSource/lc3 ... src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: config -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: config(1) -> config(1)

This uses bt_bap_debug_{config, metadata} to decode the TLV entries found in Basic Audio Announcement: < HCI Command: LE Set Peri.. (0x08|0x003f) plen 41 Handle: 1 Operation: Complete ext advertising data (0x03) Data length: 0x26 Service Data: Basic Audio Announcement (0x1851) Presetation Delay: 10000 Number of Subgroups: 1 Subgroup #0: Number of BIS(s): 1 Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Codec Specific Configuration: Sampling Frequency: 48 Khz (0x08) Codec Specific Configuration: #1: len 0x02 type 0x02 Codec Specific Configuration: Frame Duration: 7.5 ms (0x00) Codec Specific Configuration: #2: len 0x03 type 0x04 Codec Specific Configuration: Frame Length: 75 (0x004b) Metadata: #0: len 0x03 type 0x02 Metadata: Context: 0x0002 Metadata: Context Conversational (0x0002) BIS #0: Index: 1 Codec Specific Configuration: #0: len 0x05 type 0x03 Codec Specific Configuration: Location: 0x00000001 Codec Specific Configuration: Location: Front Left (0x00000001)

bt_bap_pac may actually map to multiple PAC records and each may have a different channel count that needs to be matched separately, for instance when trying with EarFun Air Pro: < ACL Data TX: Handle 2048 flags 0x00 dlen 85 ATT: Write Command (0x52) len 80 Handle: 0x0098 Type: ASE Control Point (0x2bc6) Data: 010405020206000000000a020103020201030428000602020600000 0000a0201030202010304280001020206000000000a020103020201030428 0002020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 4 ASE: #0 ASE ID: 0x05 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #1 ASE ID: 0x06 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #2 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #3 ASE ID: 0x02 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Fixes: #612

This makes use of ChannelAllocation when present on SelectProperties dictionary which is then passed on to bluetoothd and send over as part of Codec Configuration: < ACL Data TX: Handle 2048 flags 0x00 dlen 109 ATT: Write Command (0x52) len 104 Handle: 0x0098 Type: ASE Control Point (0x2bc6) Data: 0104050202060000000010020103020201030428000503010000000 6020206000000001002010302020103042800050302000000010202060000 0000100201030202010304280005030100000002020206000000001002010 302020103042800050302000000 Opcode: Codec Configuration (0x01) Number of ASE(s): 4 ASE: #0 ASE ID: 0x05 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000001 Front Left (0x00000001) ASE: #1 ASE ID: 0x06 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000002 Front Right (0x00000002) ASE: #2 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000001 Front Left (0x00000001) ASE: #3 ASE ID: 0x02 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000002 Front Right (0x00000002)

This enables local endpoints to be printed with endpoint.show: [bluetooth]# endpoint.show /local/endpoint/pac_snk/lc3 Endpoint /local/endpoint/pac_snk/lc3 UUID 00002bc9-0000-1000-8000-00805f9b34fb Codec 0x06 (6) Capabilities.#0: len 0x03 type 0x01 Capabilities.Sampling Frequencies: 0x00ff Capabilities.Sampling Frequency: 8 Khz (0x0001) Capabilities.Sampling Frequency: 11.25 Khz (0x0002) Capabilities.Sampling Frequency: 16 Khz (0x0004) Capabilities.Sampling Frequency: 22.05 Khz (0x0008) Capabilities.Sampling Frequency: 24 Khz (0x0010) Capabilities.Sampling Frequency: 32 Khz (0x0020) Capabilities.Sampling Frequency: 44.1 Khz (0x0040) Capabilities.Sampling Frequency: 48 Khz (0x0080) Capabilities.#1: len 0x02 type 0x02 Capabilities.Frame Duration: 0x03 Capabilities.Frame Duration: 7.5 ms (0x01) Capabilities.Frame Duration: 10 ms (0x02) Capabilities.#2: len 0x02 type 0x03 Capabilities.Audio Channel Count: 0x03 Capabilities.Audio Channel Count: 1 channel (0x01) Capabilities.Audio Channel Count: 2 channel (0x02) Capabilities.#3: len 0x05 type 0x04 Capabilities.Frame Length: 30 (0x001e) - 240 (0x00f0) Locations 0x00000003 (3) SupportedContext 0x00000fff (4095) Context 0x00000fff (4095)

This fixes the following crash when a broadcast stream setup is pending and the device is remove: bluetoothd[37]: src/device.c:device_free() 0x89a500 bluetoothd[37]: GLib: Invalid file descriptor. bluetoothd[37]: ++++++++ backtrace ++++++++ bluetoothd[37]: #1 g_logv+0x270 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3120] bluetoothd[37]: #2 g_log+0x93 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3403] bluetoothd[37]: #3 g_io_channel_error_from_errno+0x4a (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cd9da] bluetoothd[37]: #4 g_io_unix_close+0x53 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb55839d53] bluetoothd[37]: #5 g_io_channel_shutdown+0x10f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cdf7f] bluetoothd[37]: #6 g_io_channel_unref+0x39 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557ce1e9] bluetoothd[37]: #7 g_source_unref_internal+0x24f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557db79f] bluetoothd[37]: #8 g_main_context_dispatch+0x288 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dd638] bluetoothd[37]: #9 g_main_context_iterate.isra.0+0x318 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb5583b6b8] bluetoothd[37]: #10 g_main_loop_run+0x7f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dcaff] bluetoothd[37]: #11 mainloop_run+0x15 (src/shared/mainloop-glib.c:68) [0x662e65] bluetoothd[37]: #12 mainloop_run_with_signal+0x128 (src/shared/mainloop-notify.c:190) [0x663368] bluetoothd[37]: #13 main+0x154b (src/main.c:1454) [0x41521b] bluetoothd[37]: #14 __libc_start_call_main+0x7a (/usr/lib64/libc.so.6) [0x7feb54e1fb8a] bluetoothd[37]: #15 __libc_start_main@@GLIBC_2.34+0x8b (/usr/lib64/libc.so.6) [0x7feb54e1fc4b] bluetoothd[37]: #16 _start+0x25 (src/main.c:1197) [0x416305] bluetoothd[37]: +++++++++++++++++++++++++++

This fixes to following trace caused by not initializing data->io: AddressSanitizer:DEADLYSIGNAL ================================================================= ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f199c3a01c9 bp 0x7ffc26624a10 sp 0x7ffc26624a00 T0) The signal is caused by a READ memory access. Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn . #0 0x7f199c3a01c9 in g_io_channel_unref (/lib64/libglib-2.0.so.0+0x4d1c9) bluez#1 0x5565f82fcece in test_post_teardown tools/rfcomm-tester.c:205 bluez#2 0x5565f83939b3 in teardown_callback src/shared/tester.c:434

Fix the second bap_stream_set_io call to set the io on the linked transport, as it's clearly meant to. Fixes sending duplicate stream stop/start requests. bluetoothd[588207]: < ACL Data TX: Handle 2048 flags 0x00 dlen 11 #492 [hci1] ATT: Write Command (0x52) len 6 Handle: 0x0098 Type: ASE Control Point (0x2bc6) Data: 04020505 Opcode: Receiver Start Ready (0x04) Number of ASE(s): 2 ASE: #0 ASE ID: 0x05 ASE: #1 ASE ID: 0x05

setup->err is set to values that either are on stack of avdtp.c routines, obtained from callbacks, or allocated on heap. This is inconsistent, and use-after-free in some cases. Fix by always allocating setup->err ourselves, copying any values obtained from callbacks. Add setup_error_set/init and do all setup->err manipulation via them. Fixes crash: ==994225==ERROR: AddressSanitizer: stack-use-after-return READ of size 1 at 0x7f15ee5189c0 thread T0 #0 0x445724 in avdtp_error_category profiles/audio/avdtp.c:657 bluez#1 0x41e59e in error_to_errno profiles/audio/a2dp.c:303 bluez#2 0x42bb23 in a2dp_reconfigure profiles/audio/a2dp.c:1336 bluez#3 0x7f15f1512798 in g_timeout_dispatch ... Address 0x7f15ee5189c0 is located in stack of thread T0 at offset 64 in frame #0 0x466b76 in avdtp_parse_rej profiles/audio/avdtp.c:3056 This frame has 2 object(s): [48, 49) 'acp_seid' (line 3058) [64, 72) 'err' (line 3057) <== Memory access at offset 64 is inside this variable

setup->err is set to values that either are on stack of avdtp.c routines, obtained from callbacks, or allocated on heap. This is inconsistent, and use-after-free in some cases. Fix by always allocating setup->err ourselves, copying any values obtained from callbacks. Add setup_error_set/init and do all setup->err manipulation via them. Fixes crash: ==994225==ERROR: AddressSanitizer: stack-use-after-return READ of size 1 at 0x7f15ee5189c0 thread T0 #0 0x445724 in avdtp_error_category profiles/audio/avdtp.c:657 #1 0x41e59e in error_to_errno profiles/audio/a2dp.c:303 #2 0x42bb23 in a2dp_reconfigure profiles/audio/a2dp.c:1336 #3 0x7f15f1512798 in g_timeout_dispatch ... Address 0x7f15ee5189c0 is located in stack of thread T0 at offset 64 in frame #0 0x466b76 in avdtp_parse_rej profiles/audio/avdtp.c:3056 This frame has 2 object(s): [48, 49) 'acp_seid' (line 3058) [64, 72) 'err' (line 3057) <== Memory access at offset 64 is inside this variable

select_cb() callback is called when the sound server replies. However, at that point the ep or session for which it was made may already be gone if e.g. device disconnects or adapter is powered off. Fix by implementing cancelling select() callbacks, and doing it before freeing ep. Fixes crash: ==889897==ERROR: AddressSanitizer: heap-use-after-free READ of size 8 at 0x60400006b098 thread T0 #0 0x55aeba in setup_new profiles/audio/bap.c:840 #1 0x562158 in select_cb profiles/audio/bap.c:1361 #2 0x47ad66 in pac_select_cb profiles/audio/media.c:920 #3 0x47661b in endpoint_reply profiles/audio/media.c:375 ... freed by thread T0 here: #0 0x7fd20bcd7fb8 in __interceptor_free.part.0 #1 0x55f913 in ep_free profiles/audio/bap.c:1156 #2 0x7d696e in remove_interface gdbus/object.c:660 #3 0x7de622 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x554536 in ep_unregister profiles/audio/bap.c:193 #5 0x574455 in ep_remove profiles/audio/bap.c:2963 #6 0x7f5341 in queue_remove_if src/shared/queue.c:279 #7 0x7f5aba in queue_remove_all src/shared/queue.c:321 #8 0x57452b in bap_disconnect profiles/audio/bap.c:2972 #9 0x6cd107 in btd_service_disconnect src/service.c:305 ... previously allocated by thread T0 here: #0 0x7fd20bcd92ef in malloc #1 0x7f6e98 in util_malloc src/shared/util.c:46 #2 0x560d28 in ep_register profiles/audio/bap.c:1282 #3 0x562bdf in pac_register profiles/audio/bap.c:1386 #4 0x8cc834 in bap_foreach_pac src/shared/bap.c:4950 #5 0x8cccfc in bt_bap_foreach_pac src/shared/bap.c:4964 #6 0x56330b in bap_ready profiles/audio/bap.c:1457 ...

This attempts to decode the PA data content: Before: > HCI Event: LE Meta Event (0x3e) plen 46 LE Periodic Advertising Report (0x0f) Sync handle: 1 TX power: 127 dbm (0x7f) RSSI: not available (0x7f) CTE Type: No Constant Tone Extension (0xff) Data status: Complete Data length: 0x26 25 16 51 18 28 00 00 01 01 06 00 00 00 00 11 02 %.Q.(........... 01 03 02 02 01 05 03 01 00 00 00 03 04 28 00 04 .............(.. 03 02 02 00 01 00 After: > HCI Event: LE Meta Event (0x3e) plen 46 LE Periodic Advertising Report (0x0f) Sync handle: 1 TX power: 127 dbm (0x7f) RSSI: not available (0x7f) CTE Type: No Constant Tone Extension (0xff) Data status: Complete Data length: 0x26 Service Data: Basic Audio Announcement (0x1851) Presetation Delay: 40 Number of Subgroups: 1 Subgroup #0: Number of BIS(s): 1 Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Codec Specific Configuration: Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Codec Specific Configuration: Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x05 type 0x03 Codec Specific Configuration: Location: 0x00000001 Codec Specific Configuration: Location: Front Left (0x00000001) Codec Specific Configuration: #3: len 0x03 type 0x04 Codec Specific Configuration: Frame Length: 40 (0x0028) Metadata: #0: len 0x03 type 0x02 Metadata: Context: 0x0002 Metadata: Context Conversational (0x0002) BIS #0: Index: 1

Cancel stream's queued requests before freeing the stream. As the callbacks may do some cleanup on error, be sure to call them before removing the requests. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000013430 READ of size 8 at 0x60d000013430 thread T0 #0 0x89cb9f in stream_stop_complete src/shared/bap.c:1211 #1 0x89c997 in bap_req_complete src/shared/bap.c:1192 #2 0x8a105f in bap_process_queue src/shared/bap.c:1474 #3 0x93c93f in timeout_callback src/shared/timeout-glib.c:25 ... freed by thread T0 here: #1 0x89b744 in bap_stream_free src/shared/bap.c:1105 #2 0x89bac8 in bap_stream_detach src/shared/bap.c:1122 #3 0x89dbfc in bap_stream_state_changed src/shared/bap.c:1261 #4 0x8a2169 in bap_ucast_set_state src/shared/bap.c:1554 #5 0x89e0d5 in stream_set_state src/shared/bap.c:1291 #6 0x8a78b6 in bap_ucast_release src/shared/bap.c:1927 #7 0x8d45bb in bt_bap_stream_release src/shared/bap.c:5516 #8 0x8ba63f in remove_streams src/shared/bap.c:3538 #9 0x7f23d0 in queue_foreach src/shared/queue.c:207 #10 0x8bb875 in bt_bap_remove_pac src/shared/bap.c:3593 #11 0x47416c in media_endpoint_destroy profiles/audio/media.c:185 =======================================================================

Before freeing setup, cancel any ongoing stream operations, and indicate failure for pending DBus replies. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758 WRITE of size 4 at 0x60d000004758 thread T0 #0 0x557159 in qos_cb profiles/audio/bap.c:753 #1 0x89c38f in bap_req_complete src/shared/bap.c:1191 #2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789 #3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801 #4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011 ... freed by thread T0 here: #1 0x558f2b in setup_free profiles/audio/bap.c:890 #2 0x7f34e8 in queue_remove_all src/shared/queue.c:341 #3 0x7f0105 in queue_destroy src/shared/queue.c:60 #4 0x55cdc8 in ep_free profiles/audio/bap.c:1167 =======================================================================

Currently, btd_set_add_device decrypts the sirk in-place, modifying the key passed to it. This causes store_sirk() later on to save the wrong (decrypted) key value, resulting to invalid duplicate device set. It also allows devices->sirk list to contain same set multiple times, which crashes later on as sirks-set are assumed to be 1-to-1 in btd_set_add/remove_device(). Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001c068 READ of size 8 at 0x60600001c068 thread T0 #0 0x762721 in btd_set_remove_device src/set.c:347 #1 0x7341e7 in remove_sirk_info src/device.c:7145 #2 0x7f2cee in queue_foreach src/shared/queue.c:207 #3 0x734499 in btd_device_unref src/device.c:7159 #4 0x719f65 in device_remove src/device.c:4788 #5 0x682382 in adapter_remove src/adapter.c:6959 ... 0x60600001c068 is located 40 bytes inside of 56-byte region [0x60600001c040,0x60600001c078) freed by thread T0 here: #1 0x7605a6 in set_free src/set.c:170 #2 0x7d4eff in remove_interface gdbus/object.c:660 #3 0x7dcbb3 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x762990 in btd_set_remove_device src/set.c:362 #5 0x7341e7 in remove_sirk_info src/device.c:7145 #6 0x7f2cee in queue_foreach src/shared/queue.c:207 #7 0x734499 in btd_device_unref src/device.c:7159 #8 0x719f65 in device_remove src/device.c:4788 #9 0x682382 in adapter_remove src/adapter.c:6959 ... previously allocated by thread T0 here: #1 0x7f5429 in util_malloc src/shared/util.c:46 #2 0x7605f1 in set_new src/set.c:178 #3 0x7625b9 in btd_set_add_device src/set.c:324 #4 0x6f8fc8 in add_set src/device.c:1916 #5 0x7f2cee in queue_foreach src/shared/queue.c:207 #6 0x6f982c in device_set_ltk src/device.c:1940 #7 0x667b97 in load_ltks src/adapter.c:4478 ... =======================================================================

Vudentz closed this as completed Jan 29, 2020

delleceste mentioned this issue Apr 14, 2020

bluetoothd 5.54 crash upon service authorization #9

Closed

Saifulbappi mentioned this issue May 14, 2020

Gatt Characteristics write crash issue #14

Closed

mrfixit2001 mentioned this issue Feb 11, 2021

3rd Party Wii-U Controller Not Pairing #94

Open

zouyonghe mentioned this issue Mar 25, 2021

Can't use bluetooth #117

Open

ghost mentioned this issue Jul 2, 2021

Can't connect Amazon Echo Dot #166

Closed

AndreRH mentioned this issue Sep 1, 2021

bluetoothd crashes when discover_devices is terminated #196

Open

SR-G mentioned this issue May 17, 2022

Kernel crashes with 5.64 #340

Open

gmernov mentioned this issue Jun 7, 2022

Bluetooth can't connect to Audio Sink / Handsfree #354

Open

robcsi mentioned this issue Jul 21, 2022

[5.64] HID device connection fails at br-connection-create-socket #319

Open

bvdberg mentioned this issue Jan 18, 2023

Kernel Panic: RIP: 0010:hci_connect_le_scan_cleanup+0x14/0x130 [bluetooth] #221

Open

pv mentioned this issue Jan 21, 2023

ASAN use-after-free in src/shared/bap.c:bap_stream_clear_cfm (909) #457

Closed

Donny9 mentioned this issue Feb 6, 2023

gdbus: fix stack var overflow #468

Closed

verygenericname mentioned this issue Jun 30, 2023

[bluez 5.67] segfault upon connection/playing audio after connection #542

Closed

dabeixiaomibujiatang mentioned this issue Nov 22, 2023

isotest Broadcast Isochronous test #659

Closed

wleese mentioned this issue Jan 6, 2024

Failed service discovery for Klipsch The Three Plus (BLE) #712

Open

enorrmann mentioned this issue Jan 10, 2024

Segfault on SONY MDR-1000X #705

Closed

sanchipsync mentioned this issue Jan 22, 2024

Bluetooth PBAP Client PTS test[PBAP/PCE/SSM/BV-06-C] for obex authentication is failing #729

Closed

onurcoskun14 mentioned this issue Mar 6, 2024

Disabling The Scan Filter After Connection #763

Open

jason77-wang mentioned this issue Mar 27, 2024

Lenovo XT99 bt headset: auto-reconnecting always reports "Connection refused - security block (0x0003)" at the rfcomm connection stage #704

Open

guo652917087 mentioned this issue Mar 28, 2024

bluetooth-meshd bluez 5.72 Provisioning failed. #794

Open

ectherrien mentioned this issue Apr 23, 2024

Bluetooth Pairing unsuccessful with authentication failure on iOS/Mac (RPi 5) #825

Closed

guirespi mentioned this issue May 23, 2024

Bluez peripheral using DBus API always ask pairing request on Android #851

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

git tags #1

git tags #1

dlech commented Dec 27, 2019

Vudentz commented Jan 29, 2020

git tags #1

git tags #1

Comments

dlech commented Dec 27, 2019

Vudentz commented Jan 29, 2020