[BlueZ] transport: fix crash when freeing transport

Commit Message

Pauli Virtanen June 17, 2024, 5:11 p.m. UTC

Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
    #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
    #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
    #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
    #3 0x7e0e99 in remove_interface gdbus/object.c:682
    #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
    #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
---
 profiles/audio/transport.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

Comments

bluez.test.bot@gmail.com June 17, 2024, 7 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=862692

---Test result---

Test Summary:
CheckPatch                    PASS      0.47 seconds
GitLint                       PASS      0.36 seconds
BuildEll                      PASS      24.69 seconds
BluezMake                     PASS      1674.95 seconds
MakeCheck                     PASS      13.44 seconds
MakeDistcheck                 PASS      177.77 seconds
CheckValgrind                 PASS      250.71 seconds
CheckSmatch                   PASS      353.47 seconds
bluezmakeextell               PASS      119.23 seconds
IncrementalBuild              PASS      1393.84 seconds
ScanBuild                     PASS      1013.24 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org June 17, 2024, 7:10 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 17 Jun 2024 20:11:53 +0300 you wrote:
> Fix UAF by freeing transport->remote_endpoint in media_transport_free,
> which also frees the struct (not in destroy after the struct is freed).
> 
> ERROR: AddressSanitizer: heap-use-after-free
> READ of size 8 at 0x508000022ab8 thread T0
>     #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
> ...
> freed by thread T0 here:
>     #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
>     #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
>     #3 0x7e0e99 in remove_interface gdbus/object.c:682
>     #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
>     #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
> 
> [...]

Here is the summary with links:
  - [BlueZ] transport: fix crash when freeing transport
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=87ad4c66b934

You are awesome, thank you!

Patch

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 0ce94bae3..922911cf3 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -220,9 +220,6 @@  void media_transport_destroy(struct media_transport *transport)
 	g_dbus_unregister_interface(btd_get_dbus_connection(), path,
 						MEDIA_TRANSPORT_INTERFACE);
 
-	if (transport->remote_endpoint)
-		g_free(transport->remote_endpoint);
-
 	g_free(path);
 }
 
@@ -1271,6 +1268,7 @@  static void media_transport_free(void *data)
 	if (transport->ops && transport->ops->destroy)
 		transport->ops->destroy(transport->data);
 
+	g_free(transport->remote_endpoint);
 	g_free(transport->configuration);
 	g_free(transport->path);
 	g_free(transport);