diff mbox series

[BlueZ,v1] shared/uhid: Fix crash if bt_uhid_destroy free replay structure

Message ID 20240415145444.857497-1-luiz.dentz@gmail.com (mailing list archive)
State Accepted
Commit b94f1be656f34ea1363f5566ef63b847234c6dea
Headers show
Series [BlueZ,v1] shared/uhid: Fix crash if bt_uhid_destroy free replay structure | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/BuildEll success Build ELL PASS
tedd_an/BluezMake success Bluez Make PASS
tedd_an/MakeCheck success Bluez Make Check PASS
tedd_an/MakeDistcheck success Make Distcheck PASS
tedd_an/CheckValgrind success Check Valgrind PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/bluezmakeextell success Make External ELL PASS
tedd_an/IncrementalBuild success Incremental Build PASS
tedd_an/ScanBuild success Scan Build PASS

Commit Message

Luiz Augusto von Dentz April 15, 2024, 2:54 p.m. UTC 
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Id replay structured has been allocated it shall be set back to NULL
after calling uhid_replay_free otherwise it may cause the following
crash:

Invalid read of size 1
   at 0x1D8FC4: bt_uhid_record (uhid.c:116)
   by 0x1D912C: uhid_read_handler (uhid.c:158)
   by 0x201A64: watch_callback (io-glib.c:157)
   by 0x48D4198: g_main_dispatch.lto_priv.0 (gmain.c:3344)
   by 0x49333BE: UnknownInlinedFun (gmain.c:4152)
   by 0x49333BE: g_main_context_iterate_unlocked.isra.0 (gmain.c:4217)
   by 0x48D4DC6: g_main_loop_run (gmain.c:4419)
   by 0x2020F4: mainloop_run (mainloop-glib.c:66)
   by 0x20254B: mainloop_run_with_signal (mainloop-notify.c:188)
   by 0x12D6D4: main (main.c:1456)
 Address 0x53ae9c0 is 0 bytes inside a block of size 40 free'd
   at 0x48468CF: free (vg_replace_malloc.c:985)
   by 0x1D8E19: uhid_replay_free (uhid.c:68)
   by 0x1D8E19: uhid_replay_free (uhid.c:59)
   by 0x1D8E19: bt_uhid_destroy (uhid.c:509)
   by 0x1591F5: uhid_disconnect (device.c:183)

Fixes: https://github.com/bluez/bluez/issues/815
---
 src/shared/uhid.c | 1 +
 1 file changed, 1 insertion(+)

Comments

bluez.test.bot@gmail.com April 15, 2024, 4:42 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=844685

---Test result---

Test Summary:
CheckPatch                    PASS      0.25 seconds
GitLint                       PASS      0.20 seconds
BuildEll                      PASS      25.20 seconds
BluezMake                     PASS      1763.91 seconds
MakeCheck                     PASS      12.94 seconds
MakeDistcheck                 PASS      181.38 seconds
CheckValgrind                 PASS      250.57 seconds
CheckSmatch                   PASS      357.15 seconds
bluezmakeextell               PASS      121.63 seconds
IncrementalBuild              PASS      1502.12 seconds
ScanBuild                     PASS      1039.94 seconds



---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org April 15, 2024, 7:50 p.m. UTC | #2 
Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 15 Apr 2024 10:54:44 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> Id replay structured has been allocated it shall be set back to NULL
> after calling uhid_replay_free otherwise it may cause the following
> crash:
> 
> Invalid read of size 1
>    at 0x1D8FC4: bt_uhid_record (uhid.c:116)
>    by 0x1D912C: uhid_read_handler (uhid.c:158)
>    by 0x201A64: watch_callback (io-glib.c:157)
>    by 0x48D4198: g_main_dispatch.lto_priv.0 (gmain.c:3344)
>    by 0x49333BE: UnknownInlinedFun (gmain.c:4152)
>    by 0x49333BE: g_main_context_iterate_unlocked.isra.0 (gmain.c:4217)
>    by 0x48D4DC6: g_main_loop_run (gmain.c:4419)
>    by 0x2020F4: mainloop_run (mainloop-glib.c:66)
>    by 0x20254B: mainloop_run_with_signal (mainloop-notify.c:188)
>    by 0x12D6D4: main (main.c:1456)
>  Address 0x53ae9c0 is 0 bytes inside a block of size 40 free'd
>    at 0x48468CF: free (vg_replace_malloc.c:985)
>    by 0x1D8E19: uhid_replay_free (uhid.c:68)
>    by 0x1D8E19: uhid_replay_free (uhid.c:59)
>    by 0x1D8E19: bt_uhid_destroy (uhid.c:509)
>    by 0x1591F5: uhid_disconnect (device.c:183)
> 
> [...]

Here is the summary with links:
  - [BlueZ,v1] shared/uhid: Fix crash if bt_uhid_destroy free replay structure
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=b94f1be656f3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/src/shared/uhid.c b/src/shared/uhid.c
index c1092b70781b..1f071b958974 100644
--- a/src/shared/uhid.c
+++ b/src/shared/uhid.c
@@ -507,6 +507,7 @@  int bt_uhid_destroy(struct bt_uhid *uhid)
 
 	uhid->created = false;
 	uhid_replay_free(uhid->replay);
+	uhid->replay = NULL;
 
 	return err;
 }