sfos: Automatically restart mpris-proxy service if it crashes #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[sailfish] Automatically restart mpris-proxy service if it crashes. Fixes JB#58244
jusa
approved these changes
Aug 4, 2022
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This fixes the following error for invalid read access when registering
filter for incoming messages:
140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
#1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
#2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
#3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
#4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
#5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
#6 0x55a101086f64 in send_reply mesh/dbus.c:153
#7 0x55a101124c3d in handle_method_return ell/dbus.c:216
#8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
#9 0x55a1010dae20 in io_callback ell/io.c:120
#10 0x55a1010dff7e in l_main_iterate ell/main.c:478
#11 0x55a1010e06e3 in l_main_run ell/main.c:525
#12 0x55a1010e06e3 in l_main_run ell/main.c:507
#13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
#14 0x55a10100316e in main mesh/main.c:292
#15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
#16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
#17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
To look up transports, use BAP stream pointers associated with them, not
the path strings stored in the stream user data. This makes it clearer
that transports presented to the sound server correspond to the actual
streams. The Acquire/etc. of BAP transports are already tied to the
associated stream.
This fixes use-after-free crashes in pac_clear. They occur because the
lifetime of the path string was either that of media transport or media
endpoint, which may be shorter than that of the BAP stream. In such
case, pac_clear is entered with invalid pointer in stream user data,
leading to crash. There are a few code paths for this, e.g. making
sound server delay its SetConfiguration response (e.g. gdb breakpoint)
to get dbus timeout, then disconnecting:
ERROR: AddressSanitizer: heap-use-after-free on address XXXX
READ of size 3 at 0x606000031640 thread T0
...
#4 0x559891 in btd_debug src/log.c:117
#5 0x46abfd in pac_clear profiles/audio/media.c:1096
#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914
#7 0x7a060d in bap_stream_detach src/shared/bap.c:987
#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210
#9 0x7a29cd in stream_set_state src/shared/bap.c:1254
#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820
#11 0x71d15d in queue_foreach src/shared/queue.c:207
#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836
#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342
#14 0x63247c in btd_service_disconnect src/service.c:305
freed by thread T0 here:
#0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc)
#2 0x7047b7 in remove_interface gdbus/object.c:660
#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217
#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270
#6 0x464d26 in clear_configuration profiles/audio/media.c:292
#7 0x464e69 in clear_endpoint profiles/audio/media.c:300
#8 0x46516e in endpoint_reply profiles/audio/media.c:325
...
Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Don't call configuration callback if stream's transport was cleared in
the meantime. The clear callback is called just before the stream is
freed.
Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus
reply:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90
READ of size 8 at 0x60b00002eb90 thread T0
#0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201
#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010
#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157
#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165
#4 0x46365b in clear_endpoint profiles/audio/media.c:297
#5 0x463a21 in endpoint_reply profiles/audio/media.c:325
...
freed by thread T0 here:
#0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x78d8cc in bap_stream_free src/shared/bap.c:974
#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991
#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210
#4 0x78fe26 in stream_set_state src/shared/bap.c:1254
#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820
#6 0x70ce06 in queue_foreach src/shared/queue.c:207
#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836
#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342
#9 0x626e57 in btd_service_disconnect src/service.c:305
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Always free BAP stream in bt_bap_stream_release if it is not attached to
a client session, simplifying the cleanup.
Fixes the following ASAN crash is observed when media endpoint is
unregistered (stopping sound server) while streaming from remote BAP
client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
The following crash can be observed if the remote peer send and
unsupported event:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
WRITE of size 1 at 0x60b000148f11 thread T0
#0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
#1 0x559644536c22 in control_response profiles/audio/avctp.c:939
#2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
#3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
#7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#8 0x5596445bb963 in main src/main.c:1289
#9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
#11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
It seems like some implementation of vasprintf set the content of the
str to NULL rather then returning -1 causing the following errors:
=================================================================
==216204==ERROR: AddressSanitizer: attempting free on address which
was not malloc()-ed: 0x55e787722cf0 in thread T0
#0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
#1 0x55e7850e55f9 in bt_log_vprintf
/usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2
#2 0x55e78502db18 in monitor_log
/usr/src/debug/bluez-git/bluez-git/src/log.c:40:2
#3 0x55e78502dab4 in info
/usr/src/debug/bluez-git/bluez-git/src/log.c:52:2
#4 0x55e78502e314 in __btd_log_init
/usr/src/debug/bluez-git/bluez-git/src/log.c:179:2
#5 0x55e78502aa63 in main
/usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2
#6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#7 0x7f1d5fe27d89 in __libc_start_main
(/usr/lib/libc.so.6+0x27d89) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#8 0x55e784e88084 in _start
(/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId:
19348ea642303b701c033d773055becb623fe79a)
Address 0x55e787722cf0 is a wild pointer inside of access range of
size 0x000000000001.
SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in
__interceptor_free.part.0
==216204==ABORTING
сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process
exited, code=exited, status=1/FAILURE
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[sailfish] Automatically restart mpris-proxy service if it crashes. Fixes JB#58244