Resolves: rhbz#1938686.

.bluez.metadata

@@ -0,0 +1 @@
+4d8fb1328e15df4021329d3eb6329b64777badaa bluez-5.64.tar.xz

0001-client-gatt-Fix-memory-leak-issues.patch

@@ -0,0 +1,66 @@
+From b4233bca181580800b483a228ca5377efcfeb844 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:05 +0530
+Subject: [PATCH BlueZ 01/12] client/gatt: Fix memory leak issues
+
+While performing the static tool analysis using coverity tool
+found following reports
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:1531: leaked_storage: Variable "service"
+going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:2626: leaked_storage: Variable "chrc"
+going out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/client/gatt.c:2906: leaked_storage: Variable "desc"
+going out of scope leaks the storage it points to.
+---
+ client/gatt.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/client/gatt.c b/client/gatt.c
+index 13872c794..4c1efaf75 100644
+--- a/client/gatt.c
++++ b/client/gatt.c
+@@ -1527,8 +1527,10 @@ void gatt_register_service(DBusConnection *conn, GDBusProxy *proxy,
+ 
+ 	if (argc > 2) {
+ 		service->handle = parse_handle(argv[2]);
+-		if (!service->handle)
++		if (!service->handle) {
++			service_free(service);
+ 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
++		}
+ 	}
+ 
+ 	if (g_dbus_register_interface(conn, service->path,
+@@ -2622,8 +2624,10 @@ void gatt_register_chrc(DBusConnection *conn, GDBusProxy *proxy,
+ 
+ 	if (argc > 3) {
+ 		chrc->handle = parse_handle(argv[3]);
+-		if (!chrc->handle)
++		if (!chrc->handle) {
++			chrc_free(chrc);
+ 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
++		}
+ 	}
+ 
+ 	if (g_dbus_register_interface(conn, chrc->path, CHRC_INTERFACE,
+@@ -2902,8 +2906,10 @@ void gatt_register_desc(DBusConnection *conn, GDBusProxy *proxy,
+ 
+ 	if (argc > 3) {
+ 		desc->handle = parse_handle(argv[3]);
+-		if (!desc->handle)
++		if (!desc->handle) {
++			desc_free(desc);
+ 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
++		}
+ 	}
+ 
+ 	if (g_dbus_register_interface(conn, desc->path, DESC_INTERFACE,
+-- 
+2.26.2
+

0001-gatt-Fix-double-free-and-freed-memory-dereference.patch

@@ -0,0 +1,41 @@
+From f853012bc0142ab6056f3d9ef4abf621b1e8a756 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 24 May 2022 16:45:56 +0530
+Subject: [PATCH BlueZ] gatt: Fix double free and freed memory dereference
+
+commit 3627eddea13042ffc0848ae37356f30335ce2e4b
+Author: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
+Date:   Fri Apr 1 15:16:47 2022 +0300
+
+    gatt: Fix double free and freed memory dereference
+
+    If device is no longer exists or not paired when notifications send it
+    is possible to get double free and dereference of already freed memory.
+
+    To avoid this we need to recheck the state of device after sending
+    notification.
+
+    Found by Linux Verification Center (linuxtesting.org) with the SVACE
+    static analysis tool.
+---
+ src/gatt-database.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index d6c94058c..d32f616a9 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
+ 
+ 	send_notification_to_device(state, state->pending);
+ 
++	state = find_device_state(database, &bdaddr, bdaddr_type);
++	if (!state || !state->pending)
++		return;
++
+ 	free(state->pending->value);
+ 	free(state->pending);
+ 	state->pending = NULL;
+-- 
+2.26.2
+

0002-mesh-appkey-Fix-memory-leaks.patch

@@ -0,0 +1,43 @@
+From 5eb96b3ec8545047a74d7204664267c7aa749070 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:06 +0530
+Subject: [PATCH BlueZ 02/12] mesh/appkey: Fix memory leaks
+
+While performing the static analysis using the coverity tool found
+following memory leak reports
+
+bluez-5.64/mesh/appkey.c:143: leaked_storage: Variable "key" going
+out of scope leaks the storage it points to.
+
+Error: RESOURCE_LEAK (CWE-772):
+bluez-5.64/mesh/appkey.c:146: leaked_storage: Variable "key" going
+out of scope leaks the storage it points to.
+---
+ mesh/appkey.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/mesh/appkey.c b/mesh/appkey.c
+index 5088a1812..52fed8c31 100644
+--- a/mesh/appkey.c
++++ b/mesh/appkey.c
+@@ -139,11 +139,15 @@ bool appkey_key_init(struct mesh_net *net, uint16_t net_idx, uint16_t app_idx,
+ 	key->net_idx = net_idx;
+ 	key->app_idx = app_idx;
+ 
+-	if (key_value && !set_key(key, app_idx, key_value, false))
++	if (key_value && !set_key(key, app_idx, key_value, false)) {
++		appkey_key_free(key);
+ 		return false;
++	}
+ 
+-	if (new_key_value && !set_key(key, app_idx, new_key_value, true))
++	if (new_key_value && !set_key(key, app_idx, new_key_value, true)) {
++		appkey_key_free(key);
+ 		return false;
++	}
+ 
+ 	l_queue_push_tail(app_keys, key);
+ 
+-- 
+2.26.2
+

0003-monitor-Fix-memory-leaks.patch

@@ -0,0 +1,38 @@
+From 6f02010ce0043ec2e17eb15f2a1dd42f6c64e223 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:07 +0530
+Subject: [PATCH BlueZ 03/12] monitor: Fix memory leaks
+
+While performing static tool analysis using coverity
+found following reports for resouse leak
+
+bluez-5.64/monitor/jlink.c:111: leaked_storage: Variable "so"
+going out of scope leaks the storage it points to.
+
+bluez-5.64/monitor/jlink.c:113: leaked_storage: Variable "so"
+going out of scope leaks the storage it points to.
+---
+ monitor/jlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/monitor/jlink.c b/monitor/jlink.c
+index 9aaa4ebd8..f1d8ce660 100644
+--- a/monitor/jlink.c
++++ b/monitor/jlink.c
+@@ -107,9 +107,12 @@ int jlink_init(void)
+ 			!jlink.tif_select || !jlink.setspeed ||
+ 			!jlink.connect || !jlink.getsn ||
+ 			!jlink.emu_getproductname ||
+-			!jlink.rtterminal_control || !jlink.rtterminal_read)
++			!jlink.rtterminal_control || !jlink.rtterminal_read) {
++		dlclose(so);
+ 		return -EIO;
++	}
+ 
++	dlclose(so);
+ 	return 0;
+ }
+ 
+-- 
+2.26.2
+

0004-sixaxis-Fix-memory-leaks.patch

@@ -0,0 +1,43 @@
+From fc57aa92a4f32f7c0f38198e6d26b529b537a047 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:08 +0530
+Subject: [PATCH BlueZ 04/12] sixaxis: Fix memory leaks
+
+While performing static tool analysis using coverity
+found following reports for resouse leak
+
+bluez-5.64/plugins/sixaxis.c:425: alloc_arg:
+"get_pairing_type_for_device" allocates memory that is
+stored into "sysfs_path".
+
+bluez-5.64/plugins/sixaxis.c:428: leaked_storage: Variable "sysfs_path"
+going out of scope leaks the storage it points to.
+---
+ plugins/sixaxis.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/sixaxis.c b/plugins/sixaxis.c
+index ddecbcccb..10cf15948 100644
+--- a/plugins/sixaxis.c
++++ b/plugins/sixaxis.c
+@@ -424,10 +424,15 @@ static void device_added(struct udev_device *udevice)
+ 
+ 	cp = get_pairing_type_for_device(udevice, &bus, &sysfs_path);
+ 	if (!cp || (cp->type != CABLE_PAIRING_SIXAXIS &&
+-				cp->type != CABLE_PAIRING_DS4))
++				cp->type != CABLE_PAIRING_DS4)) {
++		g_free(sysfs_path);
+ 		return;
+-	if (bus != BUS_USB)
++	}
++
++	if (bus != BUS_USB) {
++		g_free(sysfs_path);
+ 		return;
++	}
+ 
+ 	info("sixaxis: compatible device connected: %s (%04X:%04X %s)",
+ 				cp->name, cp->vid, cp->pid, sysfs_path);
+-- 
+2.26.2
+

0005-cltest-Fix-leaked_handle.patch

@@ -0,0 +1,29 @@
+From f4743109f381a4d53b476c5b77c7c68a6aa40b59 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:09 +0530
+Subject: [PATCH BlueZ 05/12] cltest: Fix leaked_handle
+
+While performing static tool analysis using coverity found
+following reports for resouse leak
+
+bluez-5.64/tools/cltest.c:75: leaked_handle: Handle variable "fd"
+going out of scope leaks the handle.
+---
+ tools/cltest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/cltest.c b/tools/cltest.c
+index 2766fcd23..250c93cc7 100644
+--- a/tools/cltest.c
++++ b/tools/cltest.c
+@@ -72,6 +72,7 @@ static bool send_message(const bdaddr_t *src, const bdaddr_t *dst,
+ 		return false;
+ 	}
+ 
++	close(fd);
+ 	return true;
+ }
+ 
+-- 
+2.26.2
+

0006-create-image-Fix-leaked_handle.patch

@@ -0,0 +1,47 @@
+From 4ae130455b173650f564d92f7908a7ca4f7b1ee6 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:10 +0530
+Subject: [PATCH BlueZ 06/12] create-image: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/create-image.c:124: leaked_storage: Variable "map"
+going out of scope leaks the storage it points to.
+---
+ tools/create-image.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/tools/create-image.c b/tools/create-image.c
+index aba940da7..90cd87315 100644
+--- a/tools/create-image.c
++++ b/tools/create-image.c
+@@ -97,12 +97,13 @@ static void write_block(FILE *fp, const char *pathname, unsigned int ino,
+ 
+ 	map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
+ 	if (!map || map == MAP_FAILED) {
+-		close(fd);
+-		fd = -1;
+ 		map = NULL;
+ 		st.st_size = 0;
+         }
+ 
++	close(fd);
++	fd = -1;
++
+ done:
+ 	fprintf(fp, HDR_FMT, HDR_MAGIC, ino, mode, 0, 0, 1, 0,
+ 		(uintmax_t) st.st_size, 0, 0, 0, 0, namelen + 1, 0, name);
+@@ -117,9 +118,7 @@ done:
+ 		pad = 3 - ((st.st_size + 3) % 4);
+ 		for (i = 0; i < pad; i++)
+ 			fputc(0, fp);
+-
+ 		munmap(map, st.st_size);
+-		close(fd);
+ 	}
+ }
+ 
+-- 
+2.26.2
+

0007-l2cap-tester-Fix-leaked_handle.patch

@@ -0,0 +1,29 @@
+From 4334be027ae1ad50193025c90e77a76b64464b53 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:11 +0530
+Subject: [PATCH BlueZ 07/12] l2cap-tester: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/l2cap-tester.c:1712: leaked_handle: Handle variable
+"new_sk" going out of scope leaks the handle.
+---
+ tools/l2cap-tester.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c
+index d78b1e29c..3f0464013 100644
+--- a/tools/l2cap-tester.c
++++ b/tools/l2cap-tester.c
+@@ -1709,6 +1709,7 @@ static gboolean l2cap_listen_cb(GIOChannel *io, GIOCondition cond,
+ 
+ 	if (!check_mtu(data, new_sk)) {
+ 		tester_test_failed();
++		close(new_sk);
+ 		return FALSE;
+ 	}
+ 
+-- 
+2.26.2
+

0008-mesh-mesh-db-Fix-resource-leaks.patch

@@ -0,0 +1,33 @@
+From 35cbfd9660949fca23418bfa32fd51d81ed91208 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:12 +0530
+Subject: [PATCH BlueZ 08/12] mesh/mesh-db: Fix resource leaks
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_handle: Handle variable
+"fd" going out of scope leaks the handle.
+
+bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_storage: Variable "str"
+going out of scope leaks the storage it points to.
+---
+ tools/mesh/mesh-db.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c
+index fa11837df..896ff722c 100644
+--- a/tools/mesh/mesh-db.c
++++ b/tools/mesh/mesh-db.c
+@@ -2384,6 +2384,8 @@ bool mesh_db_load(const char *fname)
+ 
+ 	sz = read(fd, str, st.st_size);
+ 	if (sz != st.st_size) {
++		close(fd);
++		l_free(str);
+ 		l_error("Failed to read configuration file %s", fname);
+ 		return false;
+ 	}
+-- 
+2.26.2
+

0009-obex-client-Fix-leaked_handle.patch

@@ -0,0 +1,29 @@
+From 39b638526d9a45d54d2d6e3f175fd7eb057ef8f0 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:13 +0530
+Subject: [PATCH BlueZ 09/12] obex-client: Fix leaked_handle
+
+While performing static tool analysis using coverity found following
+reports for resouse leak
+
+bluez-5.64/tools/obex-client-tool.c:315: leaked_handle: Handle variable
+"sk" going out of scope leaks the handle.
+---
+ tools/obex-client-tool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/obex-client-tool.c b/tools/obex-client-tool.c
+index ab9332896..cb0e41247 100644
+--- a/tools/obex-client-tool.c
++++ b/tools/obex-client-tool.c
+@@ -312,6 +312,7 @@ static GIOChannel *unix_connect(GObexTransportType transport)
+ 	if (connect(sk, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
+ 		err = errno;
+ 		g_printerr("connect: %s (%d)\n", strerror(err), err);
++		close(sk);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.26.2
+

0010-pbap-Fix-memory-leak.patch

@@ -0,0 +1,34 @@
+From 06d3c7429ad6bdf6eef1bcedee327e74a33c40bf Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:15 +0530
+Subject: [PATCH BlueZ 10/12] pbap: Fix memory leak
+
+Reported by coverity tool as follows:
+
+bluez-5.64/obexd/client/pbap.c:929: leaked_storage: Variable "apparam"
+going out of scope leaks the storage it points to.
+---
+ obexd/client/pbap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
+index 1a2bacc9f..1ed8c68ec 100644
+--- a/obexd/client/pbap.c
++++ b/obexd/client/pbap.c
+@@ -925,10 +925,11 @@ static DBusMessage *pbap_search(DBusConnection *connection,
+ 		return g_dbus_create_error(message,
+ 				ERROR_INTERFACE ".InvalidArguments", NULL);
+ 
+-	if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING)
++	if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) {
++		g_obex_apparam_free(apparam);
+ 		return g_dbus_create_error(message,
+ 				ERROR_INTERFACE ".InvalidArguments", NULL);
+-
++	}
+ 	dbus_message_iter_get_basic(&args, &value);
+ 	dbus_message_iter_next(&args);
+ 
+-- 
+2.26.2
+

0011-meshctl-Fix-possible-use_after_free.patch

@@ -0,0 +1,30 @@
+From 56bda20ce9e3e5c4684b37cffd4527264c2b4c1e Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:16 +0530
+Subject: [PATCH BlueZ 11/12] meshctl: Fix possible use_after_free
+
+Reported by coverity tool as follows :
+
+bluez-5.64/tools/meshctl.c:1968: freed_arg: "g_free" frees "mesh_dir".
+
+bluez-5.64/tools/meshctl.c:2018: double_free: Calling "g_free" frees
+pointer "mesh_dir" which has already been freed.
+---
+ tools/meshctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/meshctl.c b/tools/meshctl.c
+index 18e20c40d..38ffd35f3 100644
+--- a/tools/meshctl.c
++++ b/tools/meshctl.c
+@@ -2015,7 +2015,6 @@ int main(int argc, char *argv[])
+ 
+ fail:
+ 	bt_shell_cleanup();
+-	g_free(mesh_dir);
+ 
+ 	return EXIT_FAILURE;
+ }
+-- 
+2.26.2
+

0012-mesh-gatt-Fix-use_after_free.patch

@@ -0,0 +1,34 @@
+From 5cdaeaefc350ea3c42719284b88406579d032fb6 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Tue, 31 May 2022 13:11:17 +0530
+Subject: [PATCH BlueZ 12/12] mesh-gatt: Fix use_after_free
+
+Following scenario happens when prov is false and we have double free as
+mentioned in the below
+
+bluez-5.64/tools/mesh-gatt/prov-db.c:847: freed_arg: "g_free" frees
+"in_str".
+
+bluez-5.64/tools/mesh-gatt/prov-db.c:867: double_free: Calling "g_free"
+frees pointer "in_str" which has already been freed.
+---
+ tools/mesh-gatt/prov-db.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/mesh-gatt/prov-db.c b/tools/mesh-gatt/prov-db.c
+index 2fb08f799..a5b6997e0 100644
+--- a/tools/mesh-gatt/prov-db.c
++++ b/tools/mesh-gatt/prov-db.c
+@@ -859,7 +859,8 @@ bool prov_db_local_set_iv_index(uint32_t iv_index, bool update, bool prov)
+ 
+ 		set_local_iv_index(jmain, iv_index, update);
+ 		prov_file_write(jmain, false);
+-	}
++	} else
++		return true;
+ 
+ 	res = true;
+ done:
+-- 
+2.26.2
+

bluez.spec

@@ -6,7 +6,7 @@
 
 Name:    bluez
 Version: 5.64
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: Bluetooth utilities
 License: GPLv2+
 URL:     http://www.bluez.org/
@@ -23,6 +23,19 @@ Patch1: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
 #Patch13: 0004-systemd-More-lockdown.patch
 #Patch14: 0005-media-rename-local-function-conflicting-with-pause-2.patch
 #Patch15: bluez-avdtp-fix-removing-all-seps-when-loading-from-cache.patch
+Patch2: 0001-client-gatt-Fix-memory-leak-issues.patch
+Patch3: 0002-mesh-appkey-Fix-memory-leaks.patch
+Patch4: 0003-monitor-Fix-memory-leaks.patch
+Patch5: 0004-sixaxis-Fix-memory-leaks.patch
+Patch6: 0005-cltest-Fix-leaked_handle.patch
+Patch7: 0006-create-image-Fix-leaked_handle.patch
+Patch8: 0007-l2cap-tester-Fix-leaked_handle.patch
+Patch9: 0008-mesh-mesh-db-Fix-resource-leaks.patch
+Patch10: 0009-obex-client-Fix-leaked_handle.patch
+Patch11: 0010-pbap-Fix-memory-leak.patch
+Patch12: 0011-meshctl-Fix-possible-use_after_free.patch
+Patch13: 0012-mesh-gatt-Fix-use_after_free.patch
+Patch14: 0001-gatt-Fix-double-free-and-freed-memory-dereference.patch 
 
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@@ -320,6 +333,9 @@ install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %{_userunitdir}/obex.service
 
 %changelog
+* Thu Jun 9 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-2
+- Coverity fixes for bluez.
+
 * Thu May 5 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.64-1
 - Update to 5.64