From: Luiz Augusto von Dentz <[email protected]>
Id replay structured has been allocated it shall be set back to NULL
after calling uhid_replay_free otherwise it may cause the following
crash:
Invalid read of size 1
at 0x1D8FC4: bt_uhid_record (uhid.c:116)
by 0x1D912C: uhid_read_handler (uhid.c:158)
by 0x201A64: watch_callback (io-glib.c:157)
by 0x48D4198: g_main_dispatch.lto_priv.0 (gmain.c:3344)
by 0x49333BE: UnknownInlinedFun (gmain.c:4152)
by 0x49333BE: g_main_context_iterate_unlocked.isra.0 (gmain.c:4217)
by 0x48D4DC6: g_main_loop_run (gmain.c:4419)
by 0x2020F4: mainloop_run (mainloop-glib.c:66)
by 0x20254B: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x12D6D4: main (main.c:1456)
Address 0x53ae9c0 is 0 bytes inside a block of size 40 free'd
at 0x48468CF: free (vg_replace_malloc.c:985)
by 0x1D8E19: uhid_replay_free (uhid.c:68)
by 0x1D8E19: uhid_replay_free (uhid.c:59)
by 0x1D8E19: bt_uhid_destroy (uhid.c:509)
by 0x1591F5: uhid_disconnect (device.c:183)
Fixes: https://github.com/bluez/bluez/issues/815
---
src/shared/uhid.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/shared/uhid.c b/src/shared/uhid.c
index c1092b70781b..1f071b958974 100644
--- a/src/shared/uhid.c
+++ b/src/shared/uhid.c
@@ -507,6 +507,7 @@ int bt_uhid_destroy(struct bt_uhid *uhid)
uhid->created = false;
uhid_replay_free(uhid->replay);
+ uhid->replay = NULL;
return err;
}
--
2.44.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=844685
---Test result---
Test Summary:
CheckPatch PASS 0.25 seconds
GitLint PASS 0.20 seconds
BuildEll PASS 25.20 seconds
BluezMake PASS 1763.91 seconds
MakeCheck PASS 12.94 seconds
MakeDistcheck PASS 181.38 seconds
CheckValgrind PASS 250.57 seconds
CheckSmatch PASS 357.15 seconds
bluezmakeextell PASS 121.63 seconds
IncrementalBuild PASS 1502.12 seconds
ScanBuild PASS 1039.94 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 15 Apr 2024 10:54:44 -0400 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> Id replay structured has been allocated it shall be set back to NULL
> after calling uhid_replay_free otherwise it may cause the following
> crash:
>
> Invalid read of size 1
> at 0x1D8FC4: bt_uhid_record (uhid.c:116)
> by 0x1D912C: uhid_read_handler (uhid.c:158)
> by 0x201A64: watch_callback (io-glib.c:157)
> by 0x48D4198: g_main_dispatch.lto_priv.0 (gmain.c:3344)
> by 0x49333BE: UnknownInlinedFun (gmain.c:4152)
> by 0x49333BE: g_main_context_iterate_unlocked.isra.0 (gmain.c:4217)
> by 0x48D4DC6: g_main_loop_run (gmain.c:4419)
> by 0x2020F4: mainloop_run (mainloop-glib.c:66)
> by 0x20254B: mainloop_run_with_signal (mainloop-notify.c:188)
> by 0x12D6D4: main (main.c:1456)
> Address 0x53ae9c0 is 0 bytes inside a block of size 40 free'd
> at 0x48468CF: free (vg_replace_malloc.c:985)
> by 0x1D8E19: uhid_replay_free (uhid.c:68)
> by 0x1D8E19: uhid_replay_free (uhid.c:59)
> by 0x1D8E19: bt_uhid_destroy (uhid.c:509)
> by 0x1591F5: uhid_disconnect (device.c:183)
>
> [...]
Here is the summary with links:
- [BlueZ,v1] shared/uhid: Fix crash if bt_uhid_destroy free replay structure
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=b94f1be656f3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html