From c5a22591cda12903d4e0fa641ca5e243cc89f031 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 02:08:55 -0500 Subject: [PATCH] import bluez-5.64-2.el9 --- .bluez.metadata | 2 +- .gitignore | 2 +- ...d-Always-define-confdir-and-statedir.patch | 35 -- ...1-client-gatt-Fix-memory-leak-issues.patch | 66 +++ ...le-free-and-freed-memory-dereference.patch | 41 ++ ...king-buffers-stored-in-cstates-cache.patch | 468 ------------------ .../0002-mesh-appkey-Fix-memory-leaks.patch | 43 ++ ...ivateTmp-and-NoNewPrivileges-options.patch | 38 -- SOURCES/0003-monitor-Fix-memory-leaks.patch | 38 ++ ...systemd-Add-more-filesystem-lockdown.patch | 44 -- SOURCES/0004-sixaxis-Fix-memory-leaks.patch | 43 ++ SOURCES/0004-systemd-More-lockdown.patch | 34 -- SOURCES/0005-cltest-Fix-leaked_handle.patch | 29 ++ ...al-function-conflicting-with-pause-2.patch | 42 -- .../0006-create-image-Fix-leaked_handle.patch | 47 ++ .../0007-l2cap-tester-Fix-leaked_handle.patch | 29 ++ ...0008-mesh-mesh-db-Fix-resource-leaks.patch | 33 ++ .../0009-obex-client-Fix-leaked_handle.patch | 29 ++ SOURCES/0010-pbap-Fix-memory-leak.patch | 34 ++ ...-meshctl-Fix-possible-use_after_free.patch | 30 ++ .../0012-mesh-gatt-Fix-use_after_free.patch | 34 ++ ...ing-all-seps-when-loading-from-cache.patch | 41 -- SPECS/bluez.spec | 42 +- 23 files changed, 530 insertions(+), 714 deletions(-) delete mode 100644 SOURCES/0001-build-Always-define-confdir-and-statedir.patch create mode 100644 SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch create mode 100644 SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch delete mode 100644 SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch create mode 100644 SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch delete mode 100644 SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch create mode 100644 SOURCES/0003-monitor-Fix-memory-leaks.patch delete mode 100644 SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch create mode 100644 SOURCES/0004-sixaxis-Fix-memory-leaks.patch delete mode 100644 SOURCES/0004-systemd-More-lockdown.patch create mode 100644 SOURCES/0005-cltest-Fix-leaked_handle.patch delete mode 100644 SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch create mode 100644 SOURCES/0006-create-image-Fix-leaked_handle.patch create mode 100644 SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch create mode 100644 SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch create mode 100644 SOURCES/0009-obex-client-Fix-leaked_handle.patch create mode 100644 SOURCES/0010-pbap-Fix-memory-leak.patch create mode 100644 SOURCES/0011-meshctl-Fix-possible-use_after_free.patch create mode 100644 SOURCES/0012-mesh-gatt-Fix-use_after_free.patch delete mode 100644 SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch diff --git a/.bluez.metadata b/.bluez.metadata index ef5e331..714af10 100644 --- a/.bluez.metadata +++ b/.bluez.metadata @@ -1 +1 @@ -a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz +4d8fb1328e15df4021329d3eb6329b64777badaa SOURCES/bluez-5.64.tar.xz diff --git a/.gitignore b/.gitignore index f035c34..0a9b7df 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bluez-5.56.tar.xz +SOURCES/bluez-5.64.tar.xz diff --git a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch deleted file mode 100644 index 35f64e4..0000000 --- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 20 Sep 2017 12:49:10 +0200 -Subject: [PATCH 1/4] build: Always define confdir and statedir - -As we will need those paths to lock down on them. ---- - Makefile.am | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 9d25a815b..ac88c12e0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -31,14 +31,14 @@ pkginclude_HEADERS = - AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) - AM_LDFLAGS = $(MISC_LDFLAGS) - -+confdir = $(sysconfdir)/bluetooth -+statedir = $(localstatedir)/lib/bluetooth -+ - if DATAFILES - dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d - dbus_DATA = src/bluetooth.conf - --confdir = $(sysconfdir)/bluetooth - conf_DATA = -- --statedir = $(localstatedir)/lib/bluetooth - state_DATA = - endif - --- -2.21.0 - diff --git a/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch b/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch new file mode 100644 index 0000000..2b95f56 --- /dev/null +++ b/SOURCES/0001-client-gatt-Fix-memory-leak-issues.patch @@ -0,0 +1,66 @@ +From b4233bca181580800b483a228ca5377efcfeb844 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:05 +0530 +Subject: [PATCH BlueZ 01/12] client/gatt: Fix memory leak issues + +While performing the static tool analysis using coverity tool +found following reports + +Error: RESOURCE_LEAK (CWE-772): +bluez-5.64/client/gatt.c:1531: leaked_storage: Variable "service" +going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +bluez-5.64/client/gatt.c:2626: leaked_storage: Variable "chrc" +going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +bluez-5.64/client/gatt.c:2906: leaked_storage: Variable "desc" +going out of scope leaks the storage it points to. +--- + client/gatt.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/client/gatt.c b/client/gatt.c +index 13872c794..4c1efaf75 100644 +--- a/client/gatt.c ++++ b/client/gatt.c +@@ -1527,8 +1527,10 @@ void gatt_register_service(DBusConnection *conn, GDBusProxy *proxy, + + if (argc > 2) { + service->handle = parse_handle(argv[2]); +- if (!service->handle) ++ if (!service->handle) { ++ service_free(service); + return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } + } + + if (g_dbus_register_interface(conn, service->path, +@@ -2622,8 +2624,10 @@ void gatt_register_chrc(DBusConnection *conn, GDBusProxy *proxy, + + if (argc > 3) { + chrc->handle = parse_handle(argv[3]); +- if (!chrc->handle) ++ if (!chrc->handle) { ++ chrc_free(chrc); + return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } + } + + if (g_dbus_register_interface(conn, chrc->path, CHRC_INTERFACE, +@@ -2902,8 +2906,10 @@ void gatt_register_desc(DBusConnection *conn, GDBusProxy *proxy, + + if (argc > 3) { + desc->handle = parse_handle(argv[3]); +- if (!desc->handle) ++ if (!desc->handle) { ++ desc_free(desc); + return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } + } + + if (g_dbus_register_interface(conn, desc->path, DESC_INTERFACE, +-- +2.26.2 + diff --git a/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch b/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch new file mode 100644 index 0000000..555b77a --- /dev/null +++ b/SOURCES/0001-gatt-Fix-double-free-and-freed-memory-dereference.patch @@ -0,0 +1,41 @@ +From f853012bc0142ab6056f3d9ef4abf621b1e8a756 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 24 May 2022 16:45:56 +0530 +Subject: [PATCH BlueZ] gatt: Fix double free and freed memory dereference + +commit 3627eddea13042ffc0848ae37356f30335ce2e4b +Author: Ildar Kamaletdinov +Date: Fri Apr 1 15:16:47 2022 +0300 + + gatt: Fix double free and freed memory dereference + + If device is no longer exists or not paired when notifications send it + is possible to get double free and dereference of already freed memory. + + To avoid this we need to recheck the state of device after sending + notification. + + Found by Linux Verification Center (linuxtesting.org) with the SVACE + static analysis tool. +--- + src/gatt-database.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/gatt-database.c b/src/gatt-database.c +index d6c94058c..d32f616a9 100644 +--- a/src/gatt-database.c ++++ b/src/gatt-database.c +@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database, + + send_notification_to_device(state, state->pending); + ++ state = find_device_state(database, &bdaddr, bdaddr_type); ++ if (!state || !state->pending) ++ return; ++ + free(state->pending->value); + free(state->pending); + state->pending = NULL; +-- +2.26.2 + diff --git a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch b/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch deleted file mode 100644 index 11ce041..0000000 --- a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch +++ /dev/null @@ -1,468 +0,0 @@ -From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Wed, 1 Dec 2021 12:18:24 +0530 -Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache - -commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0 -Author: Luiz Augusto von Dentz -Date: Thu Jul 15 11:01:20 2021 -0700 - - sdpd: Fix leaking buffers stored in cstates cache - - These buffer shall only be keep in cache for as long as they are - needed so this would cleanup any client cstates in the following - conditions: - - - There is no cstate on the response - - No continuation can be found for cstate - - Different request opcode - - Respond with an error - - Client disconnect - - Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq ---- - src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++------------- - src/sdpd-server.c | 20 +++--- - src/sdpd.h | 3 + - unit/test-sdp.c | 2 +- - 4 files changed, 135 insertions(+), 60 deletions(-) - -diff --git a/src/sdpd-request.c b/src/sdpd-request.c -index 033d1e5bf..c8f5a2c72 100644 ---- a/src/sdpd-request.c -+++ b/src/sdpd-request.c -@@ -42,48 +42,78 @@ typedef struct { - - #define MIN(x, y) ((x) < (y)) ? (x): (y) - --typedef struct _sdp_cstate_list sdp_cstate_list_t; -+typedef struct sdp_cont_info sdp_cont_info_t; - --struct _sdp_cstate_list { -- sdp_cstate_list_t *next; -+struct sdp_cont_info { -+ int sock; -+ uint8_t opcode; - uint32_t timestamp; - sdp_buf_t buf; - }; - --static sdp_cstate_list_t *cstates; -+static sdp_list_t *cstates; - --/* FIXME: should probably remove it when it's found */ --static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate) -+static int cstate_match(const void *data, const void *user_data) - { -- sdp_cstate_list_t *p; -+ const sdp_cont_info_t *cinfo = data; -+ const sdp_cont_state_t *cstate = user_data; - -- for (p = cstates; p; p = p->next) { -- /* Check timestamp */ -- if (p->timestamp != cstate->timestamp) -- continue; -+ /* Check timestamp */ -+ return cinfo->timestamp - cstate->timestamp; -+} -+ -+static void sdp_cont_info_free(sdp_cont_info_t *cinfo) -+{ -+ if (!cinfo) -+ return; -+ -+ cstates = sdp_list_remove(cstates, cinfo); -+ free(cinfo->buf.data); -+ free(cinfo); -+} -+ -+static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req, -+ sdp_cont_state_t *cstate) -+{ -+ sdp_list_t *list; -+ -+ list = sdp_list_find(cstates, cstate, cstate_match); -+ if (list) { -+ sdp_cont_info_t *cinfo = list->data; - -- /* Check if requesting more than available */ -- if (cstate->cStateValue.maxBytesSent < p->buf.data_size) -- return &p->buf; -+ if (cinfo->opcode == req->opcode) -+ return cinfo; -+ -+ /* Cleanup continuation if the opcode doesn't match since its -+ * response buffer shall only be valid for the original requests -+ */ -+ sdp_cont_info_free(cinfo); -+ return NULL; - } - -- return 0; -+ /* Cleanup cstates if no continuation info could be found */ -+ sdp_cstate_cleanup(req->sock); -+ -+ return NULL; - } - --static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf) -+static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf) - { -- sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t)); -+ sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t)); - uint8_t *data = malloc(buf->data_size); - - memcpy(data, buf->data, buf->data_size); -- memset((char *)cstate, 0, sizeof(sdp_cstate_list_t)); -- cstate->buf.data = data; -- cstate->buf.data_size = buf->data_size; -- cstate->buf.buf_size = buf->data_size; -- cstate->timestamp = sdp_get_time(); -- cstate->next = cstates; -- cstates = cstate; -- return cstate->timestamp; -+ memset(cinfo, 0, sizeof(sdp_cont_info_t)); -+ cinfo->buf.data = data; -+ cinfo->buf.data_size = buf->data_size; -+ cinfo->buf.buf_size = buf->data_size; -+ cinfo->timestamp = sdp_get_time(); -+ cinfo->sock = req->sock; -+ cinfo->opcode = req->opcode; -+ -+ cstates = sdp_list_append(cstates, cinfo); -+ -+ return cinfo->timestamp; - } - - /* Additional values for checking datatype (not in spec) */ -@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate) - return length; - } - --static int sdp_cstate_get(uint8_t *buffer, size_t len, -- sdp_cont_state_t **cstate) -+static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len, -+ sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo) - { - uint8_t cStateSize = *buffer; - - SDPDBG("Continuation State size : %d", cStateSize); - - if (cStateSize == 0) { -+ /* Cleanup cstates if request doesn't contain a cstate */ -+ sdp_cstate_cleanup(req->sock); - *cstate = NULL; - return 0; - } -@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len, - SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp); - SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent); - -+ *cinfo = sdp_get_cont_info(req, *cstate); -+ - return 0; - } - -@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - uint16_t expected, actual, rsp_count = 0; - uint8_t dtd; - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - uint8_t *pCacheBuffer = NULL; - int handleSize = 0; - uint32_t cStateId = 0; -@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - /* - * Check if continuation state exists, if yes attempt -- * to get rsp remainder from cache, else send error -+ * to get rsp remainder from continuation info, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - if (rsp_count > actual) { - /* cache the rsp and generate a continuation state */ -- cStateId = sdp_cstate_alloc_buf(buf); -+ cStateId = sdp_cstate_alloc_buf(req, buf); - /* - * subtract handleSize since we now send only - * a subset of handles -@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - buf->data_size -= handleSize; - } else { - /* NULL continuation state */ -+ sdp_cont_info_free(cinfo); - sdp_set_cstate_pdu(buf, NULL); - } - } -@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - short lastIndex = 0; - - if (cstate) { -- /* -- * Get the previous sdp_cont_state_t and obtain -- * the cached rsp -- */ -- sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); -- if (pCache) { -- pCacheBuffer = pCache->data; -+ if (cinfo) { -+ /* Check if requesting more than available */ -+ if (cstate->cStateValue.maxBytesSent >= -+ cinfo->buf.data_size) { -+ status = SDP_INVALID_CSTATE; -+ goto done; -+ } -+ -+ pCacheBuffer = cinfo->buf.data; - /* get the rsp_count from the cached buffer */ - rsp_count = get_be16(pCacheBuffer); - -@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - if (i == rsp_count) { - /* set "null" continuationState */ - sdp_set_cstate_pdu(buf, NULL); -+ sdp_cont_info_free(cinfo); - } else { - /* - * there's more: set lastIndexSent to -@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - done: - free(cstate); -+ - if (pattern) - sdp_list_free(pattern, free); - -@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf) - } - - /* Build cstate response */ --static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, -- uint16_t max) -+static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate, -+ sdp_buf_t *buf, uint16_t max) - { -- /* continuation State exists -> get from cache */ -- sdp_buf_t *cache = sdp_get_cached_rsp(cstate); -+ sdp_buf_t *cache; - uint16_t sent; - -- if (!cache) -+ if (!cinfo) -+ return 0; -+ -+ if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) { -+ sdp_cont_info_free(cinfo); - return 0; -+ } -+ -+ cache = &cinfo->buf; - - sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent); - memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent); -@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, - SDPDBG("Response size : %d sending now : %d bytes sent so far : %d", - cache->data_size, sent, cstate->cStateValue.maxBytesSent); - -- if (cstate->cStateValue.maxBytesSent == cache->data_size) -+ if (cstate->cStateValue.maxBytesSent == cache->data_size) { -+ sdp_cont_info_free(cinfo); - return sdp_set_cstate_pdu(buf, NULL); -+ } - - return sdp_set_cstate_pdu(buf, cstate); - } -@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, - static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - { - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - short cstate_size = 0; - sdp_list_t *seq = NULL; - uint8_t dtd = 0; -@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - * if continuation state exists, attempt - * to get rsp remainder from cache, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - buf->buf_size -= sizeof(uint16_t); - - if (cstate) { -- cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size); -+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size); - if (!cstate_size) { - status = SDP_INVALID_CSTATE; - error("NULL cache buffer and non-NULL continuation state"); -@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - sdp_cont_state_t newState; - - memset((char *)&newState, 0, sizeof(sdp_cont_state_t)); -- newState.timestamp = sdp_cstate_alloc_buf(buf); -+ newState.timestamp = sdp_cstate_alloc_buf(req, buf); - /* - * Reset the buffer size to the maximum expected and - * set the sdp_cont_state_t -@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - int scanned, rsp_count = 0; - sdp_list_t *pattern = NULL, *seq = NULL, *svcList; - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - short cstate_size = 0; - uint8_t dtd = 0; - sdp_buf_t tmpbuf; -@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - * if continuation state exists attempt - * to get rsp remainder from cache, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - sdp_cont_state_t newState; - - memset((char *)&newState, 0, sizeof(sdp_cont_state_t)); -- newState.timestamp = sdp_cstate_alloc_buf(buf); -+ newState.timestamp = sdp_cstate_alloc_buf(req, buf); - /* - * Reset the buffer size to the maximum expected and - * set the sdp_cont_state_t -@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - } else - cstate_size = sdp_set_cstate_pdu(buf, NULL); - } else { -- cstate_size = sdp_cstate_rsp(cstate, buf, max); -+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max); - if (!cstate_size) { - status = SDP_INVALID_CSTATE; - SDPDBG("Non-null continuation state, but null cache buffer"); -@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req) - status = SDP_INVALID_PDU_SIZE; - goto send_rsp; - } -+ -+ req->opcode = reqhdr->pdu_id; -+ - switch (reqhdr->pdu_id) { - case SDP_SVC_SEARCH_REQ: - SDPDBG("Got a svc srch req"); -@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req) - - send_rsp: - if (status) { -+ /* Cleanup cstates on error */ -+ sdp_cstate_cleanup(req->sock); - rsphdr->pdu_id = SDP_ERROR_RSP; - put_be16(status, rsp.data); - rsp.data_size = sizeof(uint16_t); -@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len) - - process_request(&req); - } -+ -+void sdp_cstate_cleanup(int sock) -+{ -+ sdp_list_t *list; -+ -+ /* Remove any cinfo for the client */ -+ for (list = cstates; list;) { -+ sdp_cont_info_t *cinfo = list->data; -+ -+ list = list->next; -+ -+ if (cinfo->sock != sock) -+ continue; -+ -+ sdp_cont_info_free(cinfo); -+ } -+} -diff --git a/src/sdpd-server.c b/src/sdpd-server.c -index dfd8b1f00..66ee7ba14 100644 ---- a/src/sdpd-server.c -+++ b/src/sdpd-server.c -@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d - - sk = g_io_channel_unix_get_fd(chan); - -- if (cond & (G_IO_HUP | G_IO_ERR)) { -- sdp_svcdb_collect_all(sk); -- return FALSE; -- } -+ if (cond & (G_IO_HUP | G_IO_ERR)) -+ goto cleanup; - - len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); -- if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) { -- sdp_svcdb_collect_all(sk); -- return FALSE; -- } -+ if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) -+ goto cleanup; - - size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen); - buf = malloc(size); -@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d - * inside handle_request() in order to produce ErrorResponse. - */ - if (len <= 0) { -- sdp_svcdb_collect_all(sk); - free(buf); -- return FALSE; -+ goto cleanup; - } - - handle_request(sk, buf, len); - - return TRUE; -+ -+cleanup: -+ sdp_svcdb_collect_all(sk); -+ sdp_cstate_cleanup(sk); -+ return FALSE; - } - - static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data) -diff --git a/src/sdpd.h b/src/sdpd.h -index 257411f03..4316aff67 100644 ---- a/src/sdpd.h -+++ b/src/sdpd.h -@@ -27,8 +27,11 @@ typedef struct request { - int flags; - uint8_t *buf; - int len; -+ uint8_t opcode; - } sdp_req_t; - -+void sdp_cstate_cleanup(int sock); -+ - void handle_internal_request(int sk, int mtu, void *data, int len); - void handle_request(int sk, uint8_t *data, int len); - -diff --git a/unit/test-sdp.c b/unit/test-sdp.c -index d3a885f19..8f95fcb71 100644 ---- a/unit/test-sdp.c -+++ b/unit/test-sdp.c -@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond, - tester_monitor('>', 0x0000, 0x0001, buf, len); - - g_assert(len > 0); -- g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len); -+ g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len); - - g_assert(memcmp(buf, rsp_pdu->raw_data, rsp_pdu->raw_size) == 0); - --- -2.26.2 - diff --git a/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch b/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch new file mode 100644 index 0000000..42c767b --- /dev/null +++ b/SOURCES/0002-mesh-appkey-Fix-memory-leaks.patch @@ -0,0 +1,43 @@ +From 5eb96b3ec8545047a74d7204664267c7aa749070 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:06 +0530 +Subject: [PATCH BlueZ 02/12] mesh/appkey: Fix memory leaks + +While performing the static analysis using the coverity tool found +following memory leak reports + +bluez-5.64/mesh/appkey.c:143: leaked_storage: Variable "key" going +out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +bluez-5.64/mesh/appkey.c:146: leaked_storage: Variable "key" going +out of scope leaks the storage it points to. +--- + mesh/appkey.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/mesh/appkey.c b/mesh/appkey.c +index 5088a1812..52fed8c31 100644 +--- a/mesh/appkey.c ++++ b/mesh/appkey.c +@@ -139,11 +139,15 @@ bool appkey_key_init(struct mesh_net *net, uint16_t net_idx, uint16_t app_idx, + key->net_idx = net_idx; + key->app_idx = app_idx; + +- if (key_value && !set_key(key, app_idx, key_value, false)) ++ if (key_value && !set_key(key, app_idx, key_value, false)) { ++ appkey_key_free(key); + return false; ++ } + +- if (new_key_value && !set_key(key, app_idx, new_key_value, true)) ++ if (new_key_value && !set_key(key, app_idx, new_key_value, true)) { ++ appkey_key_free(key); + return false; ++ } + + l_queue_push_tail(app_keys, key); + +-- +2.26.2 + diff --git a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch deleted file mode 100644 index d6dff2a..0000000 --- a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001 -From: Craig Andrews -Date: Wed, 13 Sep 2017 15:23:09 +0200 -Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options - -PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different -namespace. This is useful to secure access to temporary files of the -process. - -NoNewPrivileges ensures that service process and all its children -can never gain new privileges through execve(), lowering the risk of -possible privilege escalations. ---- - src/bluetooth.service.in | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index f9faaa452..7c2f60bb4 100644 ---- a/src/bluetooth.service.in -+++ b/src/bluetooth.service.in -@@ -12,8 +12,14 @@ NotifyAccess=main - #Restart=on-failure - CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE - LimitNPROC=1 -+ -+# Filesystem lockdown - ProtectHome=true - ProtectSystem=full -+PrivateTmp=true -+ -+# Privilege escalation -+NoNewPrivileges=true - - [Install] - WantedBy=bluetooth.target --- -2.21.0 - diff --git a/SOURCES/0003-monitor-Fix-memory-leaks.patch b/SOURCES/0003-monitor-Fix-memory-leaks.patch new file mode 100644 index 0000000..ed78701 --- /dev/null +++ b/SOURCES/0003-monitor-Fix-memory-leaks.patch @@ -0,0 +1,38 @@ +From 6f02010ce0043ec2e17eb15f2a1dd42f6c64e223 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:07 +0530 +Subject: [PATCH BlueZ 03/12] monitor: Fix memory leaks + +While performing static tool analysis using coverity +found following reports for resouse leak + +bluez-5.64/monitor/jlink.c:111: leaked_storage: Variable "so" +going out of scope leaks the storage it points to. + +bluez-5.64/monitor/jlink.c:113: leaked_storage: Variable "so" +going out of scope leaks the storage it points to. +--- + monitor/jlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/monitor/jlink.c b/monitor/jlink.c +index 9aaa4ebd8..f1d8ce660 100644 +--- a/monitor/jlink.c ++++ b/monitor/jlink.c +@@ -107,9 +107,12 @@ int jlink_init(void) + !jlink.tif_select || !jlink.setspeed || + !jlink.connect || !jlink.getsn || + !jlink.emu_getproductname || +- !jlink.rtterminal_control || !jlink.rtterminal_read) ++ !jlink.rtterminal_control || !jlink.rtterminal_read) { ++ dlclose(so); + return -EIO; ++ } + ++ dlclose(so); + return 0; + } + +-- +2.26.2 + diff --git a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch deleted file mode 100644 index d3d6dd4..0000000 --- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 13 Sep 2017 15:37:11 +0200 -Subject: [PATCH 3/4] systemd: Add more filesystem lockdown - -We can only access the configuration file as read-only and read-write -to the Bluetooth cache directory and sub-directories. ---- - Makefile.am | 3 +++ - src/bluetooth.service.in | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/Makefile.am b/Makefile.am -index ac88c12e0..0a6d09847 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \ - - SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ - $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ -+ -e 's,@libexecdir\@,$(libexecdir),g' \ -+ -e 's,@statedir\@,$(statedir),g' \ -+ -e 's,@confdir\@,$(confdir),g' \ - < $< > $@ - - %.service: %.service.in Makefile -diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index 7c2f60bb4..4daedef2a 100644 ---- a/src/bluetooth.service.in -+++ b/src/bluetooth.service.in -@@ -17,6 +17,10 @@ LimitNPROC=1 - ProtectHome=true - ProtectSystem=full - PrivateTmp=true -+ProtectKernelTunables=true -+ProtectControlGroups=true -+ReadWritePaths=@statedir@ -+ReadOnlyPaths=@confdir@ - - # Privilege escalation - NoNewPrivileges=true --- -2.21.0 - diff --git a/SOURCES/0004-sixaxis-Fix-memory-leaks.patch b/SOURCES/0004-sixaxis-Fix-memory-leaks.patch new file mode 100644 index 0000000..b2f358c --- /dev/null +++ b/SOURCES/0004-sixaxis-Fix-memory-leaks.patch @@ -0,0 +1,43 @@ +From fc57aa92a4f32f7c0f38198e6d26b529b537a047 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:08 +0530 +Subject: [PATCH BlueZ 04/12] sixaxis: Fix memory leaks + +While performing static tool analysis using coverity +found following reports for resouse leak + +bluez-5.64/plugins/sixaxis.c:425: alloc_arg: +"get_pairing_type_for_device" allocates memory that is +stored into "sysfs_path". + +bluez-5.64/plugins/sixaxis.c:428: leaked_storage: Variable "sysfs_path" +going out of scope leaks the storage it points to. +--- + plugins/sixaxis.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/plugins/sixaxis.c b/plugins/sixaxis.c +index ddecbcccb..10cf15948 100644 +--- a/plugins/sixaxis.c ++++ b/plugins/sixaxis.c +@@ -424,10 +424,15 @@ static void device_added(struct udev_device *udevice) + + cp = get_pairing_type_for_device(udevice, &bus, &sysfs_path); + if (!cp || (cp->type != CABLE_PAIRING_SIXAXIS && +- cp->type != CABLE_PAIRING_DS4)) ++ cp->type != CABLE_PAIRING_DS4)) { ++ g_free(sysfs_path); + return; +- if (bus != BUS_USB) ++ } ++ ++ if (bus != BUS_USB) { ++ g_free(sysfs_path); + return; ++ } + + info("sixaxis: compatible device connected: %s (%04X:%04X %s)", + cp->name, cp->vid, cp->pid, sysfs_path); +-- +2.26.2 + diff --git a/SOURCES/0004-systemd-More-lockdown.patch b/SOURCES/0004-systemd-More-lockdown.patch deleted file mode 100644 index 4f9c218..0000000 --- a/SOURCES/0004-systemd-More-lockdown.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 13 Sep 2017 15:38:26 +0200 -Subject: [PATCH 4/4] systemd: More lockdown - -bluetoothd does not need to execute mapped memory, or real-time -access, so block those. ---- - src/bluetooth.service.in | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index 4daedef2a..f18801866 100644 ---- a/src/bluetooth.service.in -+++ b/src/bluetooth.service.in -@@ -22,9 +22,15 @@ ProtectControlGroups=true - ReadWritePaths=@statedir@ - ReadOnlyPaths=@confdir@ - -+# Execute Mappings -+MemoryDenyWriteExecute=true -+ - # Privilege escalation - NoNewPrivileges=true - -+# Real-time -+RestrictRealtime=true -+ - [Install] - WantedBy=bluetooth.target - Alias=dbus-org.bluez.service --- -2.21.0 - diff --git a/SOURCES/0005-cltest-Fix-leaked_handle.patch b/SOURCES/0005-cltest-Fix-leaked_handle.patch new file mode 100644 index 0000000..c33047e --- /dev/null +++ b/SOURCES/0005-cltest-Fix-leaked_handle.patch @@ -0,0 +1,29 @@ +From f4743109f381a4d53b476c5b77c7c68a6aa40b59 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:09 +0530 +Subject: [PATCH BlueZ 05/12] cltest: Fix leaked_handle + +While performing static tool analysis using coverity found +following reports for resouse leak + +bluez-5.64/tools/cltest.c:75: leaked_handle: Handle variable "fd" +going out of scope leaks the handle. +--- + tools/cltest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/cltest.c b/tools/cltest.c +index 2766fcd23..250c93cc7 100644 +--- a/tools/cltest.c ++++ b/tools/cltest.c +@@ -72,6 +72,7 @@ static bool send_message(const bdaddr_t *src, const bdaddr_t *dst, + return false; + } + ++ close(fd); + return true; + } + +-- +2.26.2 + diff --git a/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch b/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch deleted file mode 100644 index 1e84610..0000000 --- a/SOURCES/0005-media-rename-local-function-conflicting-with-pause-2.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 124dee151746b4a8a2e8a7194af78f2c82f75d79 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 3 Mar 2021 08:57:36 +0100 -Subject: [PATCH] media: rename local function conflicting with pause(2) - -profiles/audio/media.c:1284:13: error: conflicting types for 'pause'; have '_Bool(void *)' - 1284 | static bool pause(void *user_data) - | ^~~~~ -In file included from /usr/include/bits/sigstksz.h:24, - from /usr/include/signal.h:315, - from /usr/include/glib-2.0/glib/gbacktrace.h:36, - from /usr/include/glib-2.0/glib.h:34, - from profiles/audio/media.c:21: -/usr/include/unistd.h:478:12: note: previous declaration of 'pause' with type 'int(void)' - 478 | extern int pause (void); - | ^~~~~ ---- - profiles/audio/media.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/profiles/audio/media.c b/profiles/audio/media.c -index c84bbe22dc..3d8c4b69c3 100644 ---- a/profiles/audio/media.c -+++ b/profiles/audio/media.c -@@ -1281,7 +1281,7 @@ static bool stop(void *user_data) - return media_player_send(mp, "Stop"); - } - --static bool pause(void *user_data) -+static bool pause_play(void *user_data) - { - struct media_player *mp = user_data; - -@@ -1331,7 +1331,7 @@ static struct avrcp_player_cb player_cb = { - .set_volume = set_volume, - .play = play, - .stop = stop, -- .pause = pause, -+ .pause = pause_play, - .next = next, - .previous = previous, - }; diff --git a/SOURCES/0006-create-image-Fix-leaked_handle.patch b/SOURCES/0006-create-image-Fix-leaked_handle.patch new file mode 100644 index 0000000..981dfc3 --- /dev/null +++ b/SOURCES/0006-create-image-Fix-leaked_handle.patch @@ -0,0 +1,47 @@ +From 4ae130455b173650f564d92f7908a7ca4f7b1ee6 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:10 +0530 +Subject: [PATCH BlueZ 06/12] create-image: Fix leaked_handle + +While performing static tool analysis using coverity found following +reports for resouse leak + +bluez-5.64/tools/create-image.c:124: leaked_storage: Variable "map" +going out of scope leaks the storage it points to. +--- + tools/create-image.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/tools/create-image.c b/tools/create-image.c +index aba940da7..90cd87315 100644 +--- a/tools/create-image.c ++++ b/tools/create-image.c +@@ -97,12 +97,13 @@ static void write_block(FILE *fp, const char *pathname, unsigned int ino, + + map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); + if (!map || map == MAP_FAILED) { +- close(fd); +- fd = -1; + map = NULL; + st.st_size = 0; + } + ++ close(fd); ++ fd = -1; ++ + done: + fprintf(fp, HDR_FMT, HDR_MAGIC, ino, mode, 0, 0, 1, 0, + (uintmax_t) st.st_size, 0, 0, 0, 0, namelen + 1, 0, name); +@@ -117,9 +118,7 @@ done: + pad = 3 - ((st.st_size + 3) % 4); + for (i = 0; i < pad; i++) + fputc(0, fp); +- + munmap(map, st.st_size); +- close(fd); + } + } + +-- +2.26.2 + diff --git a/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch b/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch new file mode 100644 index 0000000..c1b9472 --- /dev/null +++ b/SOURCES/0007-l2cap-tester-Fix-leaked_handle.patch @@ -0,0 +1,29 @@ +From 4334be027ae1ad50193025c90e77a76b64464b53 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:11 +0530 +Subject: [PATCH BlueZ 07/12] l2cap-tester: Fix leaked_handle + +While performing static tool analysis using coverity found following +reports for resouse leak + +bluez-5.64/tools/l2cap-tester.c:1712: leaked_handle: Handle variable +"new_sk" going out of scope leaks the handle. +--- + tools/l2cap-tester.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c +index d78b1e29c..3f0464013 100644 +--- a/tools/l2cap-tester.c ++++ b/tools/l2cap-tester.c +@@ -1709,6 +1709,7 @@ static gboolean l2cap_listen_cb(GIOChannel *io, GIOCondition cond, + + if (!check_mtu(data, new_sk)) { + tester_test_failed(); ++ close(new_sk); + return FALSE; + } + +-- +2.26.2 + diff --git a/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch b/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch new file mode 100644 index 0000000..0def877 --- /dev/null +++ b/SOURCES/0008-mesh-mesh-db-Fix-resource-leaks.patch @@ -0,0 +1,33 @@ +From 35cbfd9660949fca23418bfa32fd51d81ed91208 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:12 +0530 +Subject: [PATCH BlueZ 08/12] mesh/mesh-db: Fix resource leaks + +While performing static tool analysis using coverity found following +reports for resouse leak + +bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_handle: Handle variable +"fd" going out of scope leaks the handle. + +bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_storage: Variable "str" +going out of scope leaks the storage it points to. +--- + tools/mesh/mesh-db.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c +index fa11837df..896ff722c 100644 +--- a/tools/mesh/mesh-db.c ++++ b/tools/mesh/mesh-db.c +@@ -2384,6 +2384,8 @@ bool mesh_db_load(const char *fname) + + sz = read(fd, str, st.st_size); + if (sz != st.st_size) { ++ close(fd); ++ l_free(str); + l_error("Failed to read configuration file %s", fname); + return false; + } +-- +2.26.2 + diff --git a/SOURCES/0009-obex-client-Fix-leaked_handle.patch b/SOURCES/0009-obex-client-Fix-leaked_handle.patch new file mode 100644 index 0000000..1611717 --- /dev/null +++ b/SOURCES/0009-obex-client-Fix-leaked_handle.patch @@ -0,0 +1,29 @@ +From 39b638526d9a45d54d2d6e3f175fd7eb057ef8f0 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:13 +0530 +Subject: [PATCH BlueZ 09/12] obex-client: Fix leaked_handle + +While performing static tool analysis using coverity found following +reports for resouse leak + +bluez-5.64/tools/obex-client-tool.c:315: leaked_handle: Handle variable +"sk" going out of scope leaks the handle. +--- + tools/obex-client-tool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/obex-client-tool.c b/tools/obex-client-tool.c +index ab9332896..cb0e41247 100644 +--- a/tools/obex-client-tool.c ++++ b/tools/obex-client-tool.c +@@ -312,6 +312,7 @@ static GIOChannel *unix_connect(GObexTransportType transport) + if (connect(sk, (struct sockaddr *) &addr, sizeof(addr)) < 0) { + err = errno; + g_printerr("connect: %s (%d)\n", strerror(err), err); ++ close(sk); + return NULL; + } + +-- +2.26.2 + diff --git a/SOURCES/0010-pbap-Fix-memory-leak.patch b/SOURCES/0010-pbap-Fix-memory-leak.patch new file mode 100644 index 0000000..6bcceb2 --- /dev/null +++ b/SOURCES/0010-pbap-Fix-memory-leak.patch @@ -0,0 +1,34 @@ +From 06d3c7429ad6bdf6eef1bcedee327e74a33c40bf Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:15 +0530 +Subject: [PATCH BlueZ 10/12] pbap: Fix memory leak + +Reported by coverity tool as follows: + +bluez-5.64/obexd/client/pbap.c:929: leaked_storage: Variable "apparam" +going out of scope leaks the storage it points to. +--- + obexd/client/pbap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c +index 1a2bacc9f..1ed8c68ec 100644 +--- a/obexd/client/pbap.c ++++ b/obexd/client/pbap.c +@@ -925,10 +925,11 @@ static DBusMessage *pbap_search(DBusConnection *connection, + return g_dbus_create_error(message, + ERROR_INTERFACE ".InvalidArguments", NULL); + +- if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) ++ if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) { ++ g_obex_apparam_free(apparam); + return g_dbus_create_error(message, + ERROR_INTERFACE ".InvalidArguments", NULL); +- ++ } + dbus_message_iter_get_basic(&args, &value); + dbus_message_iter_next(&args); + +-- +2.26.2 + diff --git a/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch b/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch new file mode 100644 index 0000000..76903b1 --- /dev/null +++ b/SOURCES/0011-meshctl-Fix-possible-use_after_free.patch @@ -0,0 +1,30 @@ +From 56bda20ce9e3e5c4684b37cffd4527264c2b4c1e Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:16 +0530 +Subject: [PATCH BlueZ 11/12] meshctl: Fix possible use_after_free + +Reported by coverity tool as follows : + +bluez-5.64/tools/meshctl.c:1968: freed_arg: "g_free" frees "mesh_dir". + +bluez-5.64/tools/meshctl.c:2018: double_free: Calling "g_free" frees +pointer "mesh_dir" which has already been freed. +--- + tools/meshctl.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/meshctl.c b/tools/meshctl.c +index 18e20c40d..38ffd35f3 100644 +--- a/tools/meshctl.c ++++ b/tools/meshctl.c +@@ -2015,7 +2015,6 @@ int main(int argc, char *argv[]) + + fail: + bt_shell_cleanup(); +- g_free(mesh_dir); + + return EXIT_FAILURE; + } +-- +2.26.2 + diff --git a/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch b/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch new file mode 100644 index 0000000..234aaea --- /dev/null +++ b/SOURCES/0012-mesh-gatt-Fix-use_after_free.patch @@ -0,0 +1,34 @@ +From 5cdaeaefc350ea3c42719284b88406579d032fb6 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Tue, 31 May 2022 13:11:17 +0530 +Subject: [PATCH BlueZ 12/12] mesh-gatt: Fix use_after_free + +Following scenario happens when prov is false and we have double free as +mentioned in the below + +bluez-5.64/tools/mesh-gatt/prov-db.c:847: freed_arg: "g_free" frees +"in_str". + +bluez-5.64/tools/mesh-gatt/prov-db.c:867: double_free: Calling "g_free" +frees pointer "in_str" which has already been freed. +--- + tools/mesh-gatt/prov-db.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/mesh-gatt/prov-db.c b/tools/mesh-gatt/prov-db.c +index 2fb08f799..a5b6997e0 100644 +--- a/tools/mesh-gatt/prov-db.c ++++ b/tools/mesh-gatt/prov-db.c +@@ -859,7 +859,8 @@ bool prov_db_local_set_iv_index(uint32_t iv_index, bool update, bool prov) + + set_local_iv_index(jmain, iv_index, update); + prov_file_write(jmain, false); +- } ++ } else ++ return true; + + res = true; + done: +-- +2.26.2 + diff --git a/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch b/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch deleted file mode 100644 index c2e3415..0000000 --- a/SOURCES/bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 28ddec8d6b829e002fa268c07b71e4c564ba9e16 Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz -Date: Thu, 11 Mar 2021 07:36:07 -0800 -Subject: [PATCH] avdtp: Fix removing all remote SEPs when loading from cache - -If avdtp_discover is called after cache has been loaded it end up -removing all remote SEPs as they have not been discovered yet. - -Fixes: https://github.com/bluez/bluez/issues/102 ---- - profiles/audio/avdtp.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c -index 088ca58b3..1d5871c62 100644 ---- a/profiles/audio/avdtp.c -+++ b/profiles/audio/avdtp.c -@@ -3381,10 +3381,18 @@ int avdtp_discover(struct avdtp *session, avdtp_discover_cb_t cb, - session->discover = g_new0(struct discover_callback, 1); - - if (session->seps) { -- session->discover->cb = cb; -- session->discover->user_data = user_data; -- session->discover->id = g_idle_add(process_discover, session); -- return 0; -+ struct avdtp_remote_sep *sep = session->seps->data; -+ -+ /* Check that SEP have been discovered as it may be loaded from -+ * cache. -+ */ -+ if (sep->discovered) { -+ session->discover->cb = cb; -+ session->discover->user_data = user_data; -+ session->discover->id = g_idle_add(process_discover, -+ session); -+ return 0; -+ } - } - - err = send_request(session, FALSE, NULL, AVDTP_DISCOVER, NULL, 0); - diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec index 2922a53..c6669b6 100644 --- a/SPECS/bluez.spec +++ b/SPECS/bluez.spec @@ -5,8 +5,8 @@ %endif Name: bluez -Version: 5.56 -Release: 8%{?dist} +Version: 5.64 +Release: 2%{?dist} Summary: Bluetooth utilities License: GPLv2+ URL: http://www.bluez.org/ @@ -17,13 +17,25 @@ Source1: bluez.gitignore # https://github.com/hadess/bluez/commits/obex-5.46 Patch1: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch # https://github.com/hadess/bluez/commits/systemd-hardening -Patch10: 0001-build-Always-define-confdir-and-statedir.patch -Patch11: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch -Patch12: 0003-systemd-Add-more-filesystem-lockdown.patch -Patch13: 0004-systemd-More-lockdown.patch -Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch -Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch -Patch16: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch +#Patch10: 0001-build-Always-define-confdir-and-statedir.patch +#Patch11: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +#Patch12: 0003-systemd-Add-more-filesystem-lockdown.patch +#Patch13: 0004-systemd-More-lockdown.patch +#Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch +#Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch +Patch2: 0001-client-gatt-Fix-memory-leak-issues.patch +Patch3: 0002-mesh-appkey-Fix-memory-leaks.patch +Patch4: 0003-monitor-Fix-memory-leaks.patch +Patch5: 0004-sixaxis-Fix-memory-leaks.patch +Patch6: 0005-cltest-Fix-leaked_handle.patch +Patch7: 0006-create-image-Fix-leaked_handle.patch +Patch8: 0007-l2cap-tester-Fix-leaked_handle.patch +Patch9: 0008-mesh-mesh-db-Fix-resource-leaks.patch +Patch10: 0009-obex-client-Fix-leaked_handle.patch +Patch11: 0010-pbap-Fix-memory-leak.patch +Patch12: 0011-meshctl-Fix-possible-use_after_free.patch +Patch13: 0012-mesh-gatt-Fix-use_after_free.patch +Patch14: 0001-gatt-Fix-double-free-and-freed-memory-dereference.patch BuildRequires: dbus-devel >= 1.6 BuildRequires: glib2-devel @@ -39,6 +51,8 @@ BuildRequires: systemd-devel BuildRequires: cups-devel # For autoreconf BuildRequires: libtool automake autoconf +# For man pages +BuildRequires: python3-docutils Requires: dbus >= 1.6 Requires(post): systemd @@ -147,7 +161,7 @@ Object Exchange daemon for sharing files, contacts etc over bluetooth %build autoreconf -vif -%configure --enable-tools --enable-library \ +%configure --enable-tools --enable-library --disable-optimization \ %if %{with deprecated} --enable-deprecated \ %endif @@ -248,6 +262,7 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/ %{_bindir}/mpris-proxy %{_bindir}/rctest %{_mandir}/man1/btattach.1.* +%{_mandir}/man1/btmon.1.* %{_mandir}/man1/l2ping.1.* %{_mandir}/man1/rctest.1.* %{_mandir}/man8/bluetoothd.8.* @@ -305,10 +320,12 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/ %config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf %{_bindir}/meshctl %{_bindir}/mesh-cfgclient +%{_bindir}/mesh-cfgtest %{_datadir}/dbus-1/system-services/org.bluez.mesh.service %{_libexecdir}/bluetooth/bluetooth-meshd %{_unitdir}/bluetooth-mesh.service %{_localstatedir}/lib/bluetooth/mesh +%{_mandir}/man8/bluetooth-meshd.8* %files obexd %{_libexecdir}/bluetooth/obexd @@ -316,6 +333,11 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/ %{_userunitdir}/obex.service %changelog +* Thu Jun 9 2022 Gopal Tiwari - 5.64-2 +- Coverity fixes for bluez. + +* Thu May 5 2022 Gopal Tiwari - 5.64-1 +- Update to 5.64 * Fri Dec 16 2021 Gopal Tiwari - 5.56-8 - Fixing Gating and version