[BlueZ] device: Fix crash attempting to read Sets property

Commit Message

Luiz Augusto von Dentz March 13, 2023, 6:31 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The following set can be observed when a sirk is exists but it is
encrypted leading to info->set to not be set:

Invalid read of size 8
   at 0x1ACDF0: append_set (device.c:1662)
   by 0x1FFEFFF7DF: ???
   by 0x1D4461: queue_foreach (queue.c:207)
   by 0x1AC8DE: dev_property_get_set (device.c:1700)
   by 0x1CF3E2: append_property (object.c:498)
   by 0x1CFA91: append_properties (object.c:527)
   by 0x1CFAFD: append_interface (object.c:542)
   by 0x48D7CEF: g_slist_foreach (gslist.c:887)
   by 0x1CF5A7: append_interfaces (object.c:1104)
   by 0x1CF5A7: append_object (object.c:1119)
   by 0x48D7CEF: g_slist_foreach (gslist.c:887)
   by 0x1CF5D0: append_object (object.c:1122)
   by 0x48D7CEF: g_slist_foreach (gslist.c:887)
 Address 0x8 is not stack'd, malloc'd or (recently) free'd
---
 src/device.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com March 13, 2023, 7:39 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=729577

---Test result---

Test Summary:
CheckPatch                    PASS      0.54 seconds
GitLint                       PASS      0.36 seconds
BuildEll                      PASS      27.32 seconds
BluezMake                     PASS      871.82 seconds
MakeCheck                     PASS      11.35 seconds
MakeDistcheck                 PASS      152.15 seconds
CheckValgrind                 PASS      249.23 seconds
CheckSmatch                   PASS      337.61 seconds
bluezmakeextell               PASS      100.19 seconds
IncrementalBuild              PASS      724.58 seconds
ScanBuild                     PASS      1055.53 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org March 14, 2023, 7:40 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 13 Mar 2023 11:31:21 -0700 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> The following set can be observed when a sirk is exists but it is
> encrypted leading to info->set to not be set:
> 
> Invalid read of size 8
>    at 0x1ACDF0: append_set (device.c:1662)
>    by 0x1FFEFFF7DF: ???
>    by 0x1D4461: queue_foreach (queue.c:207)
>    by 0x1AC8DE: dev_property_get_set (device.c:1700)
>    by 0x1CF3E2: append_property (object.c:498)
>    by 0x1CFA91: append_properties (object.c:527)
>    by 0x1CFAFD: append_interface (object.c:542)
>    by 0x48D7CEF: g_slist_foreach (gslist.c:887)
>    by 0x1CF5A7: append_interfaces (object.c:1104)
>    by 0x1CF5A7: append_object (object.c:1119)
>    by 0x48D7CEF: g_slist_foreach (gslist.c:887)
>    by 0x1CF5D0: append_object (object.c:1122)
>    by 0x48D7CEF: g_slist_foreach (gslist.c:887)
>  Address 0x8 is not stack'd, malloc'd or (recently) free'd
> 
> [...]

Here is the summary with links:
  - [BlueZ] device: Fix crash attempting to read Sets property
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=2762129212f1

You are awesome, thank you!

Patch

diff --git a/src/device.c b/src/device.c
index 77b38e97a7ea..f31f2a097e07 100644
--- a/src/device.c
+++ b/src/device.c
@@ -1659,10 +1659,15 @@  static gboolean dev_property_wake_allowed_exist(
 static void append_set(void *data, void *user_data)
 {
 	struct sirk_info *info = data;
-	const char *path = btd_set_get_path(info->set);
+	const char *path;
 	DBusMessageIter *iter = user_data;
 	DBusMessageIter entry, dict;
 
+	if (!info->set)
+		return;
+
+	path = btd_set_get_path(info->set);
+
 	dbus_message_iter_open_container(iter, DBUS_TYPE_DICT_ENTRY, NULL,
 								&entry);