Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp29435pxa; Thu, 20 Aug 2020 23:39:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJypUyd+LeEFq4LpbOQPqZsMvbtmnFTyX1Bax2SlumwSFQ9t5ecMa26K+zEydZTzeJ1LEvCK X-Received: by 2002:a05:6402:33c:: with SMTP id q28mr1256503edw.275.1597991961281; Thu, 20 Aug 2020 23:39:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597991961; cv=none; d=google.com; s=arc-20160816; b=ECJ7b2gch+YeuNh7sJ1MZFEY6p41FeRm+5dBdEL5u8NOhmTJdfgXY/zDWSuH2n0BgO GBETAYzuhj1dUd8CLsRT6UZFYPRAgNgCPvSPFvM6v2d4DvWlKUQX0WVKDgs1GaC6se4I 13P11SKaHWnr5JyJWaNTlROWSqJUqBSa14pTs5MYv93KnZeNIQ3qj33h786r+fnQFyOE Er90/gLH2CEqgwqE3N9MmAtygLoxlFsTH1RZ9iL0DSvkq74FYNqLcYA5r8lqQkmaVRf8 aV8lh5XKc9q6IxuG2Ak2QbucMru1WRWpaGzTeRJlHDdSxCMBGnkD333thQVEv3SJtWwP 2xpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=NCAHQDySYVytSsRNqhn2N9L1L4hHyPd2rGsJSHa6Rf4=; b=ZRWXoiICFJR7pVxkGIpKK51Hq+5wci0aUU1h0UFVddoA/EOAm9dnxKLpaSmNI0YLIf S1ey9gaaYNZG3txS0IZDIy21UxAGpcZlpYo2fydth2RvMDqjz7f6bzxeOO1WmaSQvQBL HkmnuB+fLD3SVQS8EDxiomJK4EULzUPCZm6vfPWCfCowMGdVgxPp2OMcEYGhhhi+S+r7 l6sN+0oY58WQxhVJva1RHi+eAwTodXRuFVKcZJpwOrHfGoRCzmJl46odn+kP1Csa4VMO +XQIu45XTY+tKtKq9WB3yMWjOngP+vNVycZLg92YjlJ0HcCdXAKM1ZqHZjNcMedcD4m5 048w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=giPa4T6B; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qw15si580451ejb.481.2020.08.20.23.38.55; Thu, 20 Aug 2020 23:39:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=giPa4T6B; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727008AbgHUGiv (ORCPT + 99 others); Fri, 21 Aug 2020 02:38:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726057AbgHUGit (ORCPT ); Fri, 21 Aug 2020 02:38:49 -0400 Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB089C061385 for ; Thu, 20 Aug 2020 23:38:48 -0700 (PDT) Received: by mail-pg1-x544.google.com with SMTP id o13so556868pgf.0 for ; Thu, 20 Aug 2020 23:38:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=NCAHQDySYVytSsRNqhn2N9L1L4hHyPd2rGsJSHa6Rf4=; b=giPa4T6ByZXUBXOlrSZmX+/K1NLQe+yALhKjc5JGrrE56YeTc8rfYzEO3IIqGoC9lH bKNtdCmkC5ti8Cv48BBp1nbzYBNdonm771S9dwy8uhu1moeovIRmqNXsZ2FUQsUAojLm HMvyVCICVnGBAyQovcPtMZ4xQTQxoiyrjcR9o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=NCAHQDySYVytSsRNqhn2N9L1L4hHyPd2rGsJSHa6Rf4=; b=SMZg6yHBYN+xhNtyLt0b/MhaGQ7iTQCTK++7tXU3TaQEUEhyW2O6KHHw4JQjm0nHhH /SvsScXgt5w7boFkNdTlS43qwwE3mrwSeF6bKALwoO40dSZDGyzcoWCw1R0LGLCRj5Bf 4se6UGPZgVbMBcEw8AqMOHTJ0+5p1UrXFF4e6JGN0+2DKYZjU1UEWyq8Igj3+7tmBoBt SzIxeHvlpG6l05tIIVzSFmGuDdhzY52i1MmcZZi1jAHuUeS+QcjoxtTW+5xJCjJ2OGCO gGWPqwLlE/GElKrNFSfJNnTc3dA0MTSfeRTwDcqRRFXKQhSi4bz5mGo7h3965WoaRATB J3VQ== X-Gm-Message-State: AOAM533u6UWVtI2TFSY7OHpKRJY7L+VnuBYlH2KPkR7duDHzYyoZoVXp 8eseWg1tE7OrBnhwXMFncI8cZVYR2PnkRA== X-Received: by 2002:a63:705b:: with SMTP id a27mr1172355pgn.405.1597991927713; Thu, 20 Aug 2020 23:38:47 -0700 (PDT) Received: from sonnysasaka-chrome.mtv.corp.google.com ([2620:15c:202:201:4a0f:cfff:fe66:e60c]) by smtp.gmail.com with ESMTPSA id q82sm1350106pfc.139.2020.08.20.23.38.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Aug 2020 23:38:47 -0700 (PDT) From: Sonny Sasaka To: linux-bluetooth@vger.kernel.org Cc: Sonny Sasaka Subject: [PATCH BlueZ] device: Cleanup att of a device object before assigning a new one. Date: Thu, 20 Aug 2020 23:38:44 -0700 Message-Id: <20200821063844.17349-1-sonnysasaka@chromium.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org For some unknown reason, sometimes the controller replies "Command Disallowed" to a Disconnect command. When this happens, bluez kernel strangely reports 2 MGMT_EV_DEVICE_CONNECTED events to bluetoothd. Unfortunately bluetoothd doesn't handle this case so this situation will lead to bluetoothd crashing due to UAF at later time. This patch protects this situation by always cleaning up the att of a device object before assigning a new one. This way the old att will not at later time fire disconnect event which would operate on the already freed device pointer. Tested by repeatedly connecting/disconnecting to a device until the situation happens and checking that bluetoothd doesn't crash. --- src/device.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/device.c b/src/device.c index 7b7808405..e696ba1c6 100644 --- a/src/device.c +++ b/src/device.c @@ -5304,6 +5304,12 @@ bool device_attach_att(struct btd_device *dev, GIOChannel *io) return false; } + // This may be reached when the device already has att attached to it. + // In this case cleanup the att first before assigning the new one, + // otherwise the old att may fire a disconnect event at later time + // and will invoke operations on the already freed device pointer. + if (dev->attrib || dev->att) + attio_cleanup(dev); dev->attrib = attrib; dev->att = g_attrib_get_att(attrib); -- 2.26.2