This commit fixes the heap-use-after-free error when connecting 2
controllers. When a controller is connected
admin_policy_adapter_probe is called. If policy_data was already
allocated it gets freed, if not, it only gets allocated. Eventually
add_interface is called. Here policy_data is put in the "data" variable
(specific for each controller) and the process_changes task is called
with idle priority. This function ultimately accesses policy_data from
the "data" variable.
When Bluez crashes the flow is:
1)first controller is attached
2)admin_policy_adapter_probe is called and policy_data is allocated
4)second controller is attached
5)admin_policy_adapter_probe is called and policy_data is freed, then
allocated again
6)process_changes runs and the policy_data for the first controller is
read, but it was already freed, thus the crash
Vlad Pruteanu (1):
plugins/admin.c: Fix heap-use-after-free error when connecting 2
controllers
plugins/admin.c | 1 -
1 file changed, 1 deletion(-)
--
2.34.1
This commit fixes the heap-use-after-free error when connecting 2
controllers. When a controller is connected
admin_policy_adapter_probe is called. If policy_data was already
allocated it gets freed, if not, it only gets allocated. Eventually
add_interface is called. Here policy_data is put in the "data" variable
(specific for each controller) and the process_changes task is called
with idle priority. This function ultimately accesses policy_data from
the "data" variable.
When Bluez crashes the flow is:
1)first controller is attached
2)admin_policy_adapter_probe is called and policy_data is allocated
4)second controller is attached
5)admin_policy_adapter_probe is called and policy_data is freed, then
allocated again
6)process_changes runs and the policy_data for the first controller is
read, but it was already freed, thus the crash
---
plugins/admin.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/plugins/admin.c b/plugins/admin.c
index 68e9237d3..16b74cfbf 100644
--- a/plugins/admin.c
+++ b/plugins/admin.c
@@ -502,7 +502,6 @@ static int admin_policy_adapter_probe(struct btd_adapter *adapter)
if (policy_data) {
btd_warn(policy_data->adapter_id,
"Policy data already exists");
- admin_policy_free(policy_data);
policy_data = NULL;
}
--
2.34.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=762216
---Test result---
Test Summary:
CheckPatch PASS 0.51 seconds
GitLint PASS 0.38 seconds
BuildEll PASS 32.78 seconds
BluezMake PASS 986.57 seconds
MakeCheck PASS 13.03 seconds
MakeDistcheck PASS 186.73 seconds
CheckValgrind PASS 306.82 seconds
CheckSmatch PASS 408.42 seconds
bluezmakeextell PASS 125.13 seconds
IncrementalBuild PASS 819.17 seconds
ScanBuild PASS 1253.01 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Tue, 4 Jul 2023 08:56:42 +0300 you wrote:
> This commit fixes the heap-use-after-free error when connecting 2
> controllers. When a controller is connected
> admin_policy_adapter_probe is called. If policy_data was already
> allocated it gets freed, if not, it only gets allocated. Eventually
> add_interface is called. Here policy_data is put in the "data" variable
> (specific for each controller) and the process_changes task is called
> with idle priority. This function ultimately accesses policy_data from
> the "data" variable.
>
> [...]
Here is the summary with links:
- [BlueZ,1/1] plugins/admin: Fix heap-use-after-free when using 2 controllers
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=b74146068892
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html