Accepting request 1222453 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1222453
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bluez?expand=0&rev=209
This commit is contained in:
Ana Guerrero 2024-11-08 10:55:46 +00:00 committed by Git OBS Bridge
commit ef8133416a
5 changed files with 17 additions and 127 deletions

View File

@ -1,121 +0,0 @@
From 9a6a84a8a2b9336c2cdb943146207cb8a5a5260c Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 16 Sep 2024 16:00:31 -0400
Subject: [PATCH] shared/uhid: Fix crash after bt_uhid_unregister_all
This fixes the following crash which happens when
bt_uhid_unregister_all is called from a notification callback:
Invalid read of size 8
at 0x1D9EFF: queue_foreach (queue.c:206)
by 0x1DEE58: uhid_read_handler (uhid.c:164)
Address 0x51286d8 is 8 bytes inside a block of size 16 free'd
at 0x48478EF: free (vg_replace_malloc.c:989)
by 0x1DA08D: queue_remove_if (queue.c:292)
by 0x1DA12F: queue_remove_all (queue.c:321)
by 0x1DE592: bt_uhid_unregister_all (uhid.c:300)
Fixes: https://github.com/bluez/bluez/issues/952
---
src/shared/uhid.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 44 insertions(+), 3 deletions(-)
diff --git a/src/shared/uhid.c b/src/shared/uhid.c
index ed21e1399..20bd26781 100644
--- a/src/shared/uhid.c
+++ b/src/shared/uhid.c
@@ -42,6 +42,7 @@ struct bt_uhid {
int ref_count;
struct io *io;
unsigned int notify_id;
+ bool notifying;
struct queue *notify_list;
struct queue *input;
uint8_t type;
@@ -56,6 +57,7 @@ struct uhid_notify {
uint32_t event;
bt_uhid_callback_t func;
void *user_data;
+ bool removed;
};
static void uhid_replay_free(struct uhid_replay *replay)
@@ -134,6 +136,28 @@ static int bt_uhid_record(struct bt_uhid *uhid, bool input,
return 0;
}
+static bool match_removed(const void *a, const void *b)
+{
+ const struct uhid_notify *notify = a;
+
+ return notify->removed;
+}
+
+static void uhid_notify(struct bt_uhid *uhid, struct uhid_event *ev)
+{
+ /* Add a reference to the uhid to ensure it doesn't get freed while at
+ * notify_handler.
+ */
+ bt_uhid_ref(uhid);
+
+ uhid->notifying = true;
+ queue_foreach(uhid->notify_list, notify_handler, ev);
+ uhid->notifying = false;
+ queue_remove_all(uhid->notify_list, match_removed, NULL, free);
+
+ bt_uhid_unref(uhid);
+}
+
static bool uhid_read_handler(struct io *io, void *user_data)
{
struct bt_uhid *uhid = user_data;
@@ -161,7 +185,7 @@ static bool uhid_read_handler(struct io *io, void *user_data)
break;
}
- queue_foreach(uhid->notify_list, notify_handler, &ev);
+ uhid_notify(uhid, &ev);
return true;
}
@@ -292,13 +316,30 @@ static bool match_not_id(const void *a, const void *b)
return notify->id != id;
}
+static void uhid_notify_removed(void *data, void *user_data)
+{
+ struct uhid_notify *notify = data;
+ struct bt_uhid *uhid = user_data;
+
+ /* Skip marking start_id as removed since that is not removed with
+ * unregister all.
+ */
+ if (notify->id == uhid->start_id)
+ return;
+
+ notify->removed = true;
+}
+
bool bt_uhid_unregister_all(struct bt_uhid *uhid)
{
if (!uhid)
return false;
- queue_remove_all(uhid->notify_list, match_not_id,
+ if (!uhid->notifying)
+ queue_remove_all(uhid->notify_list, match_not_id,
UINT_TO_PTR(uhid->start_id), free);
+ else
+ queue_foreach(uhid->notify_list, uhid_notify_removed, uhid);
return true;
}
@@ -588,7 +629,7 @@ int bt_uhid_replay(struct bt_uhid *uhid)
return 0;
}
- queue_foreach(uhid->notify_list, notify_handler, ev);
+ uhid_notify(uhid, ev);
return 0;
}

BIN
bluez-5.78.tar.xz (Stored with Git LFS)

Binary file not shown.

3
bluez-5.79.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4164a5303a9f71c70f48c03ff60be34231b568d93a9ad5e79928d34e6aa0ea8a
size 2457612

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Nov 6 08:16:30 UTC 2024 - Frederic Crozat <fcrozat@suse.com>
- Update to 5.79:
* Fix issue with handling address type while pairing.
* Add support for allowing to set A2DP transport delay.
* Add support for persistent userspace HID operation.
* Add support for handling syncing to multiple BISes.
- Drop Fix-crash-after-bt_uhid_unregister_all.patch, merged
upstream.
-------------------------------------------------------------------
Wed Sep 18 08:35:40 UTC 2024 - pallas wept <pallaswept@proton.me>

View File

@ -35,7 +35,7 @@
%endif
Name: bluez
Version: 5.78
Version: 5.79
Release: 0
Summary: Bluetooth Stack for Linux
License: GPL-2.0-or-later
@ -62,8 +62,6 @@ Patch14: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch
Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch
# bsc#1013712 CVE-2016-9798
Patch16: hcidump-Fixed-malformed-segment-frame-length.patch
# Fix crash when devices disconnect or go to sleep. Upstream issue 952
Patch17: Fix-crash-after-bt_uhid_unregister_all.patch
# Upstream suggests to use btmon instead of hcidump and does not want those patches
# => PATCH-FIX-OPENSUSE for those two :-)
# fix some memory leak with malformed packet (reported upstream but not yet fixed)
@ -427,6 +425,7 @@ done
%{_mandir}/man1/bluetoothctl-assistant.1%{?ext_man}
%{_mandir}/man1/btmgmt.1%{?ext_man}
%{_mandir}/man5/org.bluez.*.5%{?ext_man}
%{_mandir}/man7/hci.7%{?ext_man}
%{_datadir}/dbus-1/system.d/bluetooth.conf
# not packaged, boo#1151518
###%%{_datadir}/dbus-1/system.d/bluetooth-mesh.conf
@ -437,6 +436,7 @@ done
%if %{with mesh}
%{_unitdir}/bluetooth-mesh.service
%endif
%{_userunitdir}/mpris-proxy.service
%{_datadir}/dbus-1/system-services/org.bluez.service
# not packaged, boo#1151518
###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service