[BlueZ] avrcp: Fix crash on remote player changed

Message ID	20250124110331.1003810-1-frederic.danis@collabora.com (mailing list archive)
State	Accepted
Commit	fac78ca5dbbdfbb2e60e8daebc8e6b353fd6b00b
Headers	show Received: from bali.collaboradmins.com (bali.collaboradmins.com [148.251.105.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F1241CD1F6 for <linux-bluetooth@vger.kernel.org>; Fri, 24 Jan 2025 11:03:38 +0000 (UTC) sender: fdanis) by bali.collaboradmins.com (Postfix) with ESMTPSA id 7C23017E0237 for <linux-bluetooth@vger.kernel.org>; Fri, 24 Jan 2025 12:03:36 +0100 (CET) From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?= <frederic.danis@collabora.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ] avrcp: Fix crash on remote player changed Date: Fri, 24 Jan 2025 12:03:31 +0100 Message-ID: <20250124110331.1003810-1-frederic.danis@collabora.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit
Series	[BlueZ] avrcp: Fix crash on remote player changed \| expand [BlueZ] avrcp: Fix crash on remote player changed

Message ID

20250124110331.1003810-1-frederic.danis@collabora.com (mailing list archive)

State

Accepted

Commit

fac78ca5dbbdfbb2e60e8daebc8e6b353fd6b00b

Headers

From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?= <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ] avrcp: Fix crash on remote player changed
Date: Fri, 24 Jan 2025 12:03:31 +0100
Message-ID: <20250124110331.1003810-1-frederic.danis@collabora.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Series

[BlueZ] avrcp: Fix crash on remote player changed | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/BuildEll	success	Build ELL PASS
tedd_an/BluezMake	success	Bluez Make PASS
tedd_an/MakeCheck	success	Bluez Make Check PASS
tedd_an/MakeDistcheck	success	Make Distcheck PASS
tedd_an/CheckValgrind	success	Check Valgrind PASS
tedd_an/CheckSmatch	success	CheckSparse PASS
tedd_an/bluezmakeextell	success	Make External ELL PASS
tedd_an/ScanBuild	success	Scan Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/BuildEll

success

Build ELL PASS

tedd_an/BluezMake

success

Bluez Make PASS

tedd_an/MakeCheck

success

Bluez Make Check PASS

tedd_an/MakeDistcheck

success

Make Distcheck PASS

tedd_an/CheckValgrind

success

Check Valgrind PASS

tedd_an/CheckSmatch

success

CheckSparse PASS

tedd_an/bluezmakeextell

success

Make External ELL PASS

tedd_an/ScanBuild

success

Scan Build PASS

Commit Message

Frédéric Danis Jan. 24, 2025, 11:03 a.m. UTC

bluetoothd crashes when the remote player changes while bluetoothd
is waiting for avrcp_list_items reply.

profiles/audio/player.c:1597:9: runtime error: member access within null pointer of type 'struct media_folder'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==825871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x602bb0fffabc bp 0x000000000020 sp 0x7ffef88216d0 T0)
==825871==The signal is caused by a READ memory access.
==825871==Hint: address points to the zero page.
    #0 0x602bb0fffabc in media_folder_find_item profiles/audio/player.c:1597
    #1 0x602bb100cd3b in media_folder_create_item profiles/audio/player.c:1877
    #2 0x602bb100cd3b in media_player_create_item profiles/audio/player.c:1928
    #3 0x602bb107eae6 in parse_media_element profiles/audio/avrcp.c:2605
    #4 0x602bb107eae6 in avrcp_list_items_rsp profiles/audio/avrcp.c:2706
    #5 0x602bb106892f in browsing_response profiles/audio/avctp.c:987
    #6 0x602bb106892f in session_browsing_cb profiles/audio/avctp.c:1028
    #7 0x73de85b1448d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d48d) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
    #8 0x73de85b73716  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc716) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
    #9 0x73de85b14f76 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5df76) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
    #10 0x602bb13a22a8 in mainloop_run src/shared/mainloop-glib.c:66
    #11 0x602bb13a2bb6 in mainloop_run_with_signal src/shared/mainloop-notify.c:189
    #12 0x602bb0fd0257 in main src/main.c:1544
    #13 0x73de84e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #14 0x73de84e2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #15 0x602bb0fd3124 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x5c8124) (BuildId: 367892bd0501d74713dd7341977abfac1b2c5d6a)

This can be reproduced using bluetoothctl and doing "player.list-items"
just before switching music player on the remote device.

This commit discards the item list parsing if the current player has
not created a pending_list_items, i.e. it doesn't start this request.
---
 profiles/audio/avrcp.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

bluez.test.bot@gmail.com Jan. 24, 2025, 12:07 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=928111

---Test result---

Test Summary:
CheckPatch                    PENDING   0.25 seconds
GitLint                       PENDING   0.36 seconds
BuildEll                      PASS      20.56 seconds
BluezMake                     PASS      1541.31 seconds
MakeCheck                     PASS      12.69 seconds
MakeDistcheck                 PASS      159.28 seconds
CheckValgrind                 PASS      213.87 seconds
CheckSmatch                   PASS      269.47 seconds
bluezmakeextell               PASS      98.06 seconds
IncrementalBuild              PENDING   0.41 seconds
ScanBuild                     PASS      859.68 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org Jan. 27, 2025, 3:10 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri, 24 Jan 2025 12:03:31 +0100 you wrote:
> bluetoothd crashes when the remote player changes while bluetoothd
> is waiting for avrcp_list_items reply.
> 
> profiles/audio/player.c:1597:9: runtime error: member access within null pointer of type 'struct media_folder'
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==825871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x602bb0fffabc bp 0x000000000020 sp 0x7ffef88216d0 T0)
> ==825871==The signal is caused by a READ memory access.
> ==825871==Hint: address points to the zero page.
>     #0 0x602bb0fffabc in media_folder_find_item profiles/audio/player.c:1597
>     #1 0x602bb100cd3b in media_folder_create_item profiles/audio/player.c:1877
>     #2 0x602bb100cd3b in media_player_create_item profiles/audio/player.c:1928
>     #3 0x602bb107eae6 in parse_media_element profiles/audio/avrcp.c:2605
>     #4 0x602bb107eae6 in avrcp_list_items_rsp profiles/audio/avrcp.c:2706
>     #5 0x602bb106892f in browsing_response profiles/audio/avctp.c:987
>     #6 0x602bb106892f in session_browsing_cb profiles/audio/avctp.c:1028
>     #7 0x73de85b1448d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d48d) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
>     #8 0x73de85b73716  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc716) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
>     #9 0x73de85b14f76 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5df76) (BuildId: 461eff2b4df472ba9c32b2358ae9ba018a59a8c5)
>     #10 0x602bb13a22a8 in mainloop_run src/shared/mainloop-glib.c:66
>     #11 0x602bb13a2bb6 in mainloop_run_with_signal src/shared/mainloop-notify.c:189
>     #12 0x602bb0fd0257 in main src/main.c:1544
>     #13 0x73de84e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     #14 0x73de84e2a28a in __libc_start_main_impl ../csu/libc-start.c:360
>     #15 0x602bb0fd3124 in _start (/home/fdanis/src/bluez/src/bluetoothd+0x5c8124) (BuildId: 367892bd0501d74713dd7341977abfac1b2c5d6a)
> 
> [...]

Here is the summary with links:
  - [BlueZ] avrcp: Fix crash on remote player changed
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=fac78ca5dbbd

You are awesome, thank you!

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 9fe8f55e5..6378b7a6e 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2661,6 +2661,11 @@  static gboolean avrcp_list_items_rsp(struct avctp *conn, uint8_t *operands,
 	size_t i;
 	int err = 0;
 
+	if (player->p == NULL) {
+		media_player_list_complete(player->user_data, NULL, -EINVAL);
+		return FALSE;
+	}
+
 	if (pdu == NULL) {
 		err = -ETIMEDOUT;
 		goto done;