seems fixed #7

JsBergbau · 2020-03-27T21:23:08Z

seems fixed

bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23 Program received signal SIGSEGV, Segmentation fault. write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 793 util_debug(server->debug_callback, server->debug_data, (gdb) bt #0 write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 #1 0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162 #2 0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879 #3 0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34 #4 0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705 #5 0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216 #6 g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881 #7 0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954 #8 0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148 #9 0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79 #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201 #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770

The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]

This patch fixes the out-of-bounds array access caught by the ASAN. monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]' ================================================================= ==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978 WRITE of size 9 at 0x7fe2d271a542 thread T0 #0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692 #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771 #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247 #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312 #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638 #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967 #7 0x7fe2d230b285 in data_callback monitor/control.c:973 #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106 #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #10 0x7fe2d230324a in main monitor/main.c:290 #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d) 0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384 0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) ... ==4180==ABORTING

This fixes the following error for invalid read access when registering filter for incoming messages: 140632==ERROR: AddressSanitizer: stack-buffer-overflow on address... #0 0x7f60c185741d in MemcmpInterceptorCommon(... #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so... #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494 #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517 #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506 #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885 #6 0x55a101086f64 in send_reply mesh/dbus.c:153 #7 0x55a101124c3d in handle_method_return ell/dbus.c:216 #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276 #9 0x55a1010dae20 in io_callback ell/io.c:120 #10 0x55a1010dff7e in l_main_iterate ell/main.c:478 #11 0x55a1010e06e3 in l_main_run ell/main.c:525 #12 0x55a1010e06e3 in l_main_run ell/main.c:507 #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647 #14 0x55a10100316e in main mesh/main.c:292 #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+... #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+... #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...

The following ASAN crash is observed when media endpoint is unregistered (stopping sound server) while streaming from remote BAP client: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8 READ of size 8 at 0x60b0000474d8 thread T0 #0 0x7a27c6 in stream_set_state src/shared/bap.c:1227 bluez#1 0x7aff61 in remove_streams src/shared/bap.c:2483 bluez#2 0x71d2d0 in queue_foreach src/shared/queue.c:207 bluez#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501 bluez#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179 ... 0x60b0000474d8 is located 8 bytes inside of 112-byte region freed by thread T0 here: #0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7a0504 in bap_stream_free src/shared/bap.c:972 bluez#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989 bluez#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208 bluez#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252 bluez#5 0x7ab18a in stream_release src/shared/bap.c:1985 bluez#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572 bluez#7 0x7aff50 in remove_streams src/shared/bap.c:2482 ... previously allocated by thread T0 here: #0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af) bluez#1 0x71e9ae in util_malloc src/shared/util.c:43 bluez#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766 bluez#3 0x7a4863 in ep_config src/shared/bap.c:1446 bluez#4 0x7a4f22 in ascs_config src/shared/bap.c:1481 ... When stream->client is false, bt_bap_stream_release already sets the stream to idle and frees it. Fix the crash by not setting the state to idle for the second time, in this case.

Several types of use-after-free crashes can be found by making BAP sound server delay its SetConfiguration response (eg. debugger breakpoint), and disconnecting the device while bluetoothd waits for SetConfiguration response. One of these occurs in media.c:pac_clear ==5070==ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 ... which crashes trying to address the path string stored in bt_bap_stream user data, which has been freed eg. via freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... or freed by thread T0 here: #0 0x7ff2b2ab9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x51b1fe in ep_free profiles/audio/bap.c:513 bluez#2 0x704cfa in remove_interface gdbus/object.c:660 bluez#3 0x70b439 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x516d6d in ep_unregister profiles/audio/bap.c:102 bluez#5 0x522bd1 in ep_remove profiles/audio/bap.c:1352 bluez#6 0x71e06a in queue_remove_if src/shared/queue.c:279 bluez#7 0x71e69e in queue_remove_all src/shared/queue.c:321 bluez#8 0x522d00 in bap_disconnect profiles/audio/bap.c:1362 ... The cause is that the path string is owned either by media transports or media endpoints, and their lifetime does not necessarily match that of the BAP stream, so that the user data may already be freed when pac_clear is entered. Fix the crash in pac_clear by matching the transports by their stream pointer, not using the potentially invalid user data, following the unmerged v3 version of the problematic patch. Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

When freeing streams, clear local PACs also in bt_bap_detach. Otherwise, media.c may call stream callbacks thinking the stream is still alive. Fixes ASAN crash on disconnect before error return from SetConfiguration DBus call: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Fixes ASAN crash on disconnect occurring before error return from SetConfiguration DBus call: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Fixes ASAN crash on disconnect occurring before error return from SetConfiguration DBus call: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Fixes ASAN crash on disconnect occurring before error return from SetConfiguration DBus call: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this, which can be reproduced by making sound server delay its SetConfiguration response (e.g. gdb breakpoint), and disconnecting before it replies: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Fixes ASAN crash on disconnect occurring before error return from SetConfiguration DBus call: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this. One can be reproduced by making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Don't call configuration callback if stream's transport was cleared in the meantime. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Each BAP media transport is associated with a BAP stream. Change their lookup to use the stream pointer, not path strings stored in BAP stream user data. This also fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than the BAP stream. In this case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this. One can be reproduced by making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Don't call configuration callback if stream's transport was cleared in the meantime. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

To look up transports, use BAP stream pointers associated with them, not the path strings stored in the stream user data. This makes it clearer that transports presented to the sound server correspond to the actual streams. This fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than that of the BAP stream. In such case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this. One is making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Don't call configuration callback if stream's transport was cleared in the meantime. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

To look up transports, use BAP stream pointers associated with them, not the path strings stored in the stream user data. This makes it clearer that transports presented to the sound server correspond to the actual streams. This fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string is either that of media transport or media endpoint, which may be shorter than that of the BAP stream. In such case, pac_clear is entered with invalid pointer in stream user data, which crashes. There are a few code paths for this. One is making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Don't call configuration callback if stream's transport was cleared in the meantime. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

To look up transports, use BAP stream pointers associated with them, not the path strings stored in the stream user data. This makes it clearer that transports presented to the sound server correspond to the actual streams. The Acquire/etc. of BAP transports are already tied to the associated stream. This fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string was either that of media transport or media endpoint, which may be shorter than that of the BAP stream. In such case, pac_clear is entered with invalid pointer in stream user data, leading to crash. There are a few code paths for this, e.g. making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... bluez#4 0x559891 in btd_debug src/log.c:117 bluez#5 0x46abfd in pac_clear profiles/audio/media.c:1096 bluez#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 bluez#7 0x7a060d in bap_stream_detach src/shared/bap.c:987 bluez#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 bluez#9 0x7a29cd in stream_set_state src/shared/bap.c:1254 bluez#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 bluez#11 0x71d15d in queue_foreach src/shared/queue.c:207 bluez#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 bluez#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 bluez#14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) bluez#2 0x7047b7 in remove_interface gdbus/object.c:660 bluez#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 bluez#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 bluez#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 bluez#6 0x464d26 in clear_configuration profiles/audio/media.c:292 bluez#7 0x464e69 in clear_endpoint profiles/audio/media.c:300 bluez#8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")

Don't call configuration callback if stream's transport was cleared in the meantime. The clear callback is called just before the stream is freed. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 bluez#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 bluez#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 bluez#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 bluez#4 0x46365b in clear_endpoint profiles/audio/media.c:297 bluez#5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x78d8cc in bap_stream_free src/shared/bap.c:974 bluez#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 bluez#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 bluez#4 0x78fe26 in stream_set_state src/shared/bap.c:1254 bluez#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 bluez#6 0x70ce06 in queue_foreach src/shared/queue.c:207 bluez#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 bluez#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 bluez#9 0x626e57 in btd_service_disconnect src/service.c:305

Always free BAP stream in bt_bap_stream_release if it is not attached to a client session, simplifying the cleanup. Fixes the following ASAN crash is observed when media endpoint is unregistered (stopping sound server) while streaming from remote BAP client: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8 READ of size 8 at 0x60b0000474d8 thread T0 #0 0x7a27c6 in stream_set_state src/shared/bap.c:1227 bluez#1 0x7aff61 in remove_streams src/shared/bap.c:2483 bluez#2 0x71d2d0 in queue_foreach src/shared/queue.c:207 bluez#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501 bluez#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179 ... 0x60b0000474d8 is located 8 bytes inside of 112-byte region freed by thread T0 here: #0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) bluez#1 0x7a0504 in bap_stream_free src/shared/bap.c:972 bluez#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989 bluez#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208 bluez#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252 bluez#5 0x7ab18a in stream_release src/shared/bap.c:1985 bluez#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572 bluez#7 0x7aff50 in remove_streams src/shared/bap.c:2482 ... previously allocated by thread T0 here: #0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af) bluez#1 0x71e9ae in util_malloc src/shared/util.c:43 bluez#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766 bluez#3 0x7a4863 in ep_config src/shared/bap.c:1446 bluez#4 0x7a4f22 in ascs_config src/shared/bap.c:1481 ...

The following crash can be observed if the remote peer send and unsupported event: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11 at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0 WRITE of size 1 at 0x60b000148f11 thread T0 #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907 #1 0x559644536c22 in control_response profiles/audio/avctp.c:939 #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108 #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66 #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #8 0x5596445bb963 in main src/main.c:1289 #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392 #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)

It seems like some implementation of vasprintf set the content of the str to NULL rather then returning -1 causing the following errors: ================================================================= ==216204==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x55e787722cf0 in thread T0 #0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o #1 0x55e7850e55f9 in bt_log_vprintf /usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2 #2 0x55e78502db18 in monitor_log /usr/src/debug/bluez-git/bluez-git/src/log.c:40:2 #3 0x55e78502dab4 in info /usr/src/debug/bluez-git/bluez-git/src/log.c:52:2 #4 0x55e78502e314 in __btd_log_init /usr/src/debug/bluez-git/bluez-git/src/log.c:179:2 #5 0x55e78502aa63 in main /usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2 #6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #7 0x7f1d5fe27d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #8 0x55e784e88084 in _start (/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId: 19348ea642303b701c033d773055becb623fe79a) Address 0x55e787722cf0 is a wild pointer inside of access range of size 0x000000000001. SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in __interceptor_free.part.0 ==216204==ABORTING сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process exited, code=exited, status=1/FAILURE

Primary/Secundary Counters are supposed to be 16 bytes values, if the server has implemented them incorrectly it may lead to the following crash: ================================================================= ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 READ of size 48 at 0x607000001878 thread T0 #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #13 0x564df6977d41 in main obexd/src/main.c:307 #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) allocated by thread T0 here: #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259

This fixes the following crash when a broadcast stream setup is pending and the device is remove: bluetoothd[37]: src/device.c:device_free() 0x89a500 bluetoothd[37]: GLib: Invalid file descriptor. bluetoothd[37]: ++++++++ backtrace ++++++++ bluetoothd[37]: #1 g_logv+0x270 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3120] bluetoothd[37]: #2 g_log+0x93 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3403] bluetoothd[37]: #3 g_io_channel_error_from_errno+0x4a (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cd9da] bluetoothd[37]: #4 g_io_unix_close+0x53 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb55839d53] bluetoothd[37]: #5 g_io_channel_shutdown+0x10f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cdf7f] bluetoothd[37]: #6 g_io_channel_unref+0x39 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557ce1e9] bluetoothd[37]: #7 g_source_unref_internal+0x24f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557db79f] bluetoothd[37]: #8 g_main_context_dispatch+0x288 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dd638] bluetoothd[37]: #9 g_main_context_iterate.isra.0+0x318 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb5583b6b8] bluetoothd[37]: #10 g_main_loop_run+0x7f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dcaff] bluetoothd[37]: #11 mainloop_run+0x15 (src/shared/mainloop-glib.c:68) [0x662e65] bluetoothd[37]: #12 mainloop_run_with_signal+0x128 (src/shared/mainloop-notify.c:190) [0x663368] bluetoothd[37]: #13 main+0x154b (src/main.c:1454) [0x41521b] bluetoothd[37]: #14 __libc_start_call_main+0x7a (/usr/lib64/libc.so.6) [0x7feb54e1fb8a] bluetoothd[37]: #15 __libc_start_main@@GLIBC_2.34+0x8b (/usr/lib64/libc.so.6) [0x7feb54e1fc4b] bluetoothd[37]: #16 _start+0x25 (src/main.c:1197) [0x416305] bluetoothd[37]: +++++++++++++++++++++++++++

select_cb() callback is called when the sound server replies. However, at that point the ep or session for which it was made may already be gone if e.g. device disconnects or adapter is powered off. Fix by implementing cancelling select() callbacks, and doing it before freeing ep. Fixes crash: ==889897==ERROR: AddressSanitizer: heap-use-after-free READ of size 8 at 0x60400006b098 thread T0 #0 0x55aeba in setup_new profiles/audio/bap.c:840 #1 0x562158 in select_cb profiles/audio/bap.c:1361 #2 0x47ad66 in pac_select_cb profiles/audio/media.c:920 #3 0x47661b in endpoint_reply profiles/audio/media.c:375 ... freed by thread T0 here: #0 0x7fd20bcd7fb8 in __interceptor_free.part.0 #1 0x55f913 in ep_free profiles/audio/bap.c:1156 #2 0x7d696e in remove_interface gdbus/object.c:660 #3 0x7de622 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x554536 in ep_unregister profiles/audio/bap.c:193 #5 0x574455 in ep_remove profiles/audio/bap.c:2963 #6 0x7f5341 in queue_remove_if src/shared/queue.c:279 #7 0x7f5aba in queue_remove_all src/shared/queue.c:321 #8 0x57452b in bap_disconnect profiles/audio/bap.c:2972 #9 0x6cd107 in btd_service_disconnect src/service.c:305 ... previously allocated by thread T0 here: #0 0x7fd20bcd92ef in malloc #1 0x7f6e98 in util_malloc src/shared/util.c:46 #2 0x560d28 in ep_register profiles/audio/bap.c:1282 #3 0x562bdf in pac_register profiles/audio/bap.c:1386 #4 0x8cc834 in bap_foreach_pac src/shared/bap.c:4950 #5 0x8cccfc in bt_bap_foreach_pac src/shared/bap.c:4964 #6 0x56330b in bap_ready profiles/audio/bap.c:1457 ...

Cancel stream's queued requests before freeing the stream. As the callbacks may do some cleanup on error, be sure to call them before removing the requests. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000013430 READ of size 8 at 0x60d000013430 thread T0 #0 0x89cb9f in stream_stop_complete src/shared/bap.c:1211 #1 0x89c997 in bap_req_complete src/shared/bap.c:1192 #2 0x8a105f in bap_process_queue src/shared/bap.c:1474 #3 0x93c93f in timeout_callback src/shared/timeout-glib.c:25 ... freed by thread T0 here: #1 0x89b744 in bap_stream_free src/shared/bap.c:1105 #2 0x89bac8 in bap_stream_detach src/shared/bap.c:1122 #3 0x89dbfc in bap_stream_state_changed src/shared/bap.c:1261 #4 0x8a2169 in bap_ucast_set_state src/shared/bap.c:1554 #5 0x89e0d5 in stream_set_state src/shared/bap.c:1291 #6 0x8a78b6 in bap_ucast_release src/shared/bap.c:1927 #7 0x8d45bb in bt_bap_stream_release src/shared/bap.c:5516 #8 0x8ba63f in remove_streams src/shared/bap.c:3538 #9 0x7f23d0 in queue_foreach src/shared/queue.c:207 #10 0x8bb875 in bt_bap_remove_pac src/shared/bap.c:3593 #11 0x47416c in media_endpoint_destroy profiles/audio/media.c:185 =======================================================================

Currently, btd_set_add_device decrypts the sirk in-place, modifying the key passed to it. This causes store_sirk() later on to save the wrong (decrypted) key value, resulting to invalid duplicate device set. It also allows devices->sirk list to contain same set multiple times, which crashes later on as sirks-set are assumed to be 1-to-1 in btd_set_add/remove_device(). Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001c068 READ of size 8 at 0x60600001c068 thread T0 #0 0x762721 in btd_set_remove_device src/set.c:347 #1 0x7341e7 in remove_sirk_info src/device.c:7145 #2 0x7f2cee in queue_foreach src/shared/queue.c:207 #3 0x734499 in btd_device_unref src/device.c:7159 #4 0x719f65 in device_remove src/device.c:4788 #5 0x682382 in adapter_remove src/adapter.c:6959 ... 0x60600001c068 is located 40 bytes inside of 56-byte region [0x60600001c040,0x60600001c078) freed by thread T0 here: #1 0x7605a6 in set_free src/set.c:170 #2 0x7d4eff in remove_interface gdbus/object.c:660 #3 0x7dcbb3 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x762990 in btd_set_remove_device src/set.c:362 #5 0x7341e7 in remove_sirk_info src/device.c:7145 #6 0x7f2cee in queue_foreach src/shared/queue.c:207 #7 0x734499 in btd_device_unref src/device.c:7159 #8 0x719f65 in device_remove src/device.c:4788 #9 0x682382 in adapter_remove src/adapter.c:6959 ... previously allocated by thread T0 here: #1 0x7f5429 in util_malloc src/shared/util.c:46 #2 0x7605f1 in set_new src/set.c:178 #3 0x7625b9 in btd_set_add_device src/set.c:324 #4 0x6f8fc8 in add_set src/device.c:1916 #5 0x7f2cee in queue_foreach src/shared/queue.c:207 #6 0x6f982c in device_set_ltk src/device.c:1940 #7 0x667b97 in load_ltks src/adapter.c:4478 ... =======================================================================

JsBergbau changed the title ~~Massive range decrease with "bluez 5.50-1.2~deb10u1"~~ seems fixed Mar 30, 2020

JsBergbau closed this as completed Mar 30, 2020

delleceste mentioned this issue Apr 14, 2020

bluetoothd 5.54 crash upon service authorization #9

Closed

Saifulbappi mentioned this issue May 14, 2020

Gatt Characteristics write crash issue #14

Closed

mrfixit2001 mentioned this issue Feb 11, 2021

3rd Party Wii-U Controller Not Pairing #94

Open

AndreRH mentioned this issue Sep 1, 2021

bluetoothd crashes when discover_devices is terminated #196

Open

pv mentioned this issue Jan 21, 2023

ASAN use-after-free in src/shared/bap.c:bap_stream_clear_cfm (909) #457

Closed

dabeixiaomibujiatang mentioned this issue Nov 22, 2023

isotest Broadcast Isochronous test #659

Closed

sanchipsync mentioned this issue Jan 22, 2024

Bluetooth PBAP Client PTS test[PBAP/PCE/SSM/BV-06-C] for obex authentication is failing #729

Closed

jason77-wang mentioned this issue Mar 27, 2024

Lenovo XT99 bt headset: auto-reconnecting always reports "Connection refused - security block (0x0003)" at the rfcomm connection stage #704

Open

guirespi mentioned this issue May 23, 2024

Bluez peripheral using DBus API always ask pairing request on Android #851

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

seems fixed #7

seems fixed #7

JsBergbau commented Mar 27, 2020 •

edited

seems fixed #7

seems fixed #7

Comments

JsBergbau commented Mar 27, 2020 • edited

JsBergbau commented Mar 27, 2020 •

edited