Update device.c #10
Closed
Update device.c #10
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change appears to be a partial backport of https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675. I have anyway planned to update to the very latest version of bluez5 before next Sailfish OS release and I believe there will be a new bluez5 release with this change before that so this would get included in next Sailfish OS release that way. |
|
Bluez add it a month ago, so you can use the newest version of bluez. |
|
This kind of changes should have some reasoning on why they are needed and ideally a reference to upstream commit. Just plain "Update device.c" is very vague. But provided that we'll get the bluez update, and this feeling a bit random change, I'd be tempted to just close this PR. |
|
As nephros mentioned on the forum, in case a version bump doesn't fly a config change could probably achieve the same? EDIT: reference: https://forum.sailfishos.org/t/cve-2023-45866-cve-2020-0556/17564 Append: to /etc/bluez5/bluetooth/input.conf |
|
New version of bluez5 just got released which includes this fix so I will update our version to that. It's easier for me to do that than asking someone else because the method for updating is a bit special. |
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
|
Superseded by #11 |
xiaoyao888888
pushed a commit
to xiaoyao888888/bluez5
that referenced
this pull request
Jan 13, 2024
To look up transports, use BAP stream pointers associated with them, not
the path strings stored in the stream user data. This makes it clearer
that transports presented to the sound server correspond to the actual
streams. The Acquire/etc. of BAP transports are already tied to the
associated stream.
This fixes use-after-free crashes in pac_clear. They occur because the
lifetime of the path string was either that of media transport or media
endpoint, which may be shorter than that of the BAP stream. In such
case, pac_clear is entered with invalid pointer in stream user data,
leading to crash. There are a few code paths for this, e.g. making
sound server delay its SetConfiguration response (e.g. gdb breakpoint)
to get dbus timeout, then disconnecting:
ERROR: AddressSanitizer: heap-use-after-free on address XXXX
READ of size 3 at 0x606000031640 thread T0
...
sailfishos#4 0x559891 in btd_debug src/log.c:117
sailfishos#5 0x46abfd in pac_clear profiles/audio/media.c:1096
sailfishos#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914
sailfishos#7 0x7a060d in bap_stream_detach src/shared/bap.c:987
sailfishos#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210
sailfishos#9 0x7a29cd in stream_set_state src/shared/bap.c:1254
sailfishos#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820
sailfishos#11 0x71d15d in queue_foreach src/shared/queue.c:207
#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836
#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342
#14 0x63247c in btd_service_disconnect src/service.c:305
freed by thread T0 here:
#0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
sailfishos#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc)
sailfishos#2 0x7047b7 in remove_interface gdbus/object.c:660
sailfishos#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394
sailfishos#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217
sailfishos#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270
sailfishos#6 0x464d26 in clear_configuration profiles/audio/media.c:292
sailfishos#7 0x464e69 in clear_endpoint profiles/audio/media.c:300
sailfishos#8 0x46516e in endpoint_reply profiles/audio/media.c:325
...
Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
xiaoyao888888
pushed a commit
to xiaoyao888888/bluez5
that referenced
this pull request
Jan 13, 2024
The following crash can be observed if the remote peer send and
unsupported event:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
WRITE of size 1 at 0x60b000148f11 thread T0
#0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
sailfishos#1 0x559644536c22 in control_response profiles/audio/avctp.c:939
sailfishos#2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
sailfishos#3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
sailfishos#4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
sailfishos#5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
sailfishos#6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
sailfishos#7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
sailfishos#8 0x5596445bb963 in main src/main.c:1289
sailfishos#9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
sailfishos#10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
sailfishos#11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.