diff mbox series

[BlueZ,1/1] plugins/admin: Fix heap-use-after-free when using 2 controllers

Message ID 20230704055643.296260-2-vlad.pruteanu@nxp.com (mailing list archive)
State Accepted
Commit b741460688925448807c7532fe96182e4d32ec42
Headers show
Series plugins/admin: Fix heap-use-after-free when using 2 controllers | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/BuildEll success Build ELL PASS
tedd_an/BluezMake success Bluez Make PASS
tedd_an/MakeCheck success Bluez Make Check PASS
tedd_an/MakeDistcheck success Make Distcheck PASS
tedd_an/CheckValgrind success Check Valgrind PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/bluezmakeextell success Make External ELL PASS
tedd_an/IncrementalBuild success Incremental Build PASS
tedd_an/ScanBuild success Scan Build PASS

Commit Message

Vlad Pruteanu July 4, 2023, 5:56 a.m. UTC
This commit fixes the heap-use-after-free error when connecting 2
controllers. When a controller is connected
admin_policy_adapter_probe is called. If policy_data was already
allocated it gets freed, if not, it only gets allocated. Eventually
add_interface is called. Here policy_data is put in the "data" variable
(specific for each controller) and the process_changes task is called
with idle priority. This function ultimately accesses policy_data from
the "data" variable.

When Bluez crashes the flow is:
1)first controller is attached
2)admin_policy_adapter_probe is called and policy_data is allocated
4)second controller is attached
5)admin_policy_adapter_probe is called and policy_data is freed, then
allocated again
6)process_changes runs and the policy_data for the first controller is
read, but it was already freed, thus the crash

---
 plugins/admin.c | 1 -
 1 file changed, 1 deletion(-)

Comments

bluez.test.bot@gmail.com July 4, 2023, 7:29 a.m. UTC | #1
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=762216

---Test result---

Test Summary:
CheckPatch                    PASS      0.51 seconds
GitLint                       PASS      0.38 seconds
BuildEll                      PASS      32.78 seconds
BluezMake                     PASS      986.57 seconds
MakeCheck                     PASS      13.03 seconds
MakeDistcheck                 PASS      186.73 seconds
CheckValgrind                 PASS      306.82 seconds
CheckSmatch                   PASS      408.42 seconds
bluezmakeextell               PASS      125.13 seconds
IncrementalBuild              PASS      819.17 seconds
ScanBuild                     PASS      1253.01 seconds



---
Regards,
Linux Bluetooth
diff mbox series

Patch

diff --git a/plugins/admin.c b/plugins/admin.c
index 68e9237d3..16b74cfbf 100644
--- a/plugins/admin.c
+++ b/plugins/admin.c
@@ -502,7 +502,6 @@  static int admin_policy_adapter_probe(struct btd_adapter *adapter)
 	if (policy_data) {
 		btd_warn(policy_data->adapter_id,
 						"Policy data already exists");
-		admin_policy_free(policy_data);
 		policy_data = NULL;
 	}