Branch: refs/heads/master Home: https://github.com/bluez/bluez Commit: 476ae809a27ef2a3e3cf4f448ea3e50dbaca41f3 https://github.com/bluez/bluez/commit/476ae809a27ef2a3e3cf4f448ea3e50dbaca41f3 Author: Andreas Kemnade <andreas@xxxxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/gatt-client.c Log Message: ----------- gatt-client: avoid UAF after acquire notify failure If a disconnect happens during AcquireNotify dbus calls, a lot of debris is left over. Subsequent calls to AcquireNotify will return NotPermitted and StopNotify leads to an UAF, crashing bluetoothd. Fix that by also clean up the socket stuff on failure. This was provoked by putting the device into some RF shielding bag and open and close it quickly. Valgrind output: bluetoothd[26032]: [:1.126:method_call] > org.bluez.GattCharacteristic1.AcquireNotify [#145] bluetoothd[26032]: [:1.126:error] < org.bluez.Error.NotPermitted [#145] bluetoothd[26032]: [:1.74:method_call] > org.freedesktop.DBus.Properties.GetAll [#895] bluetoothd[26032]: [:1.74:method_return] < [#895] bluetoothd[26032]: [:1.74:method_call] > org.bluez.GattCharacteristic1.StopNotify [#896] ==26032== Invalid read of size 8 ==26032== at 0x1A5721: notify_io_destroy (gatt-client.c:1562) ==26032== by 0x1A7290: sock_io_destroy (gatt-client.c:1171) ==26032== by 0x1A7290: destroy_sock (gatt-client.c:1192) ==26032== by 0x1A73D6: characteristic_stop_notify (gatt-client.c:1698) ==26032== by 0x1CF478: process_message (object.c:293) ==26032== by 0x49CB71B: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4) ==26032== by 0x49BB62A: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4) ==26032== by 0x1CBCEF: message_dispatch (mainloop.c:59) ==26032== by 0x48BF61E: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x48BF9D7: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x48BFC8E: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x202114: mainloop_run (mainloop-glib.c:65) ==26032== by 0x202501: mainloop_run_with_signal (mainloop-notify.c:196) ==26032== Address 0x5a7a430 is 0 bytes inside a block of size 32 free'd ==26032== at 0x484417B: free (vg_replace_malloc.c:872) ==26032== by 0x1DEC0F: complete_notify_request (gatt-client.c:1663) ==26032== by 0x1DEC0F: enable_ccc_callback (gatt-client.c:1735) ==26032== by 0x1DB8FF: disc_att_send_op (att.c:464) ==26032== by 0x1DB8FF: disconnect_cb (att.c:676) ==26032== by 0x2017A4: watch_callback (io-glib.c:173) ==26032== by 0x48BF61E: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x48BF9D7: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x48BFC8E: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x202114: mainloop_run (mainloop-glib.c:65) ==26032== by 0x202501: mainloop_run_with_signal (mainloop-notify.c:196) ==26032== by 0x12E60C: main (main.c:1535) ==26032== Block was alloc'd at ==26032== at 0x48417B4: malloc (vg_replace_malloc.c:381) ==26032== by 0x1D2F4D: util_malloc (util.c:46) ==26032== by 0x1A5DD3: notify_client_create (gatt-client.c:1426) ==26032== by 0x1A5EFC: characteristic_acquire_notify (gatt-client.c:1588) ==26032== by 0x1CF478: process_message (object.c:293) ==26032== by 0x49CB71B: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4) ==26032== by 0x49BB62A: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4) ==26032== by 0x1CBCEF: message_dispatch (mainloop.c:59) ==26032== by 0x48BF61E: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) ==26032== by 0x48BF9D7: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7400.6) Commit: 0ff45df8546775bb920a98a2b0ecd76b84ebc20a https://github.com/bluez/bluez/commit/0ff45df8546775bb920a98a2b0ecd76b84ebc20a Author: Bastien Nocera <hadess@xxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/device.c M src/error.c M src/error.h Log Message: ----------- error: Rename device error helper to match retval Rename the helper to show that it outputs a string, and not an error DbusMessage as the other functions do. Commit: 33226a0ad9030a0b67b7fe5f49ef40000deae861 https://github.com/bluez/bluez/commit/33226a0ad9030a0b67b7fe5f49ef40000deae861 Author: Bastien Nocera <hadess@xxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/error.c M src/error.h Log Message: ----------- error: Add helper to return DbusMessage errors from errno This will allow us to start adding more precise errors instead of "Failed" with a string if we're parsing an errno. Commit: 74f3733e707b1463f21b720984e7421e8f8f008e https://github.com/bluez/bluez/commit/74f3733e707b1463f21b720984e7421e8f8f008e Author: Bastien Nocera <hadess@xxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/device.c Log Message: ----------- device: Use new DbusMessage error helper Commit: 2d7f67d8b94de6293886af49a369dffb1d3f4d12 https://github.com/bluez/bluez/commit/2d7f67d8b94de6293886af49a369dffb1d3f4d12 Author: Bastien Nocera <hadess@xxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/error.c M src/error.h Log Message: ----------- error: Make errno to string helpers private We're not using them outside the error code itself. Commit: 55a6763cde8a2309fd23a96479ee4cf2fc23a442 https://github.com/bluez/bluez/commit/55a6763cde8a2309fd23a96479ee4cf2fc23a442 Author: Bastien Nocera <hadess@xxxxxxxxxx> Date: 2025-07-01 (Tue, 01 Jul 2025) Changed paths: M src/error.c M src/error.h Log Message: ----------- device: Better error when no BR/EDR profiles can be connected to Add a more precise error when there are no BR/EDR profiles to connect to. This is useful when trying to connect to a particular device, and there are no relevant profiles to connect to on the bearer. Compare: https://github.com/bluez/bluez/compare/822037fe7450...55a6763cde8a To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
