Pulseaudio in Ubuntu 16.04 contains a potential double-free bug in Bluez 5 module

Bug #1884738 reported by Ratchanan Srirattanamet
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pulseaudio (Ubuntu)
Undecided
Avital Ostromich

Bug Description

I've found a potential double-free bug in Ubuntu's SCO-over-PCM patch in PA. It creates code paths in pa__init() that will free the modargs twice in its failure handler and in pa__done() called from that handler. However, I can't find a way to trigger this with the current version of the code, as the failure mode of the code is pretty small.

The way this bug surface is when I tried to fix the "profile" option in Pulseaudio for UBports' Ubuntu Touch, where I made it failed if the requested profile isn't supported, thus creating a failure mode that can trigger this. Side note: are you interested in this patch? The profile option in Xenial is currently not working, but I guess nothing in Ubuntu uses it.

I've attached the patch which should fix the bug. I'm not sure if it worths SRU or not, so it's up to you.

CVE References

Revision history for this message
Ratchanan Srirattanamet (peat-new) wrote :
Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

Hi Ratchanan,

Is this bug specific to Ubuntu, or does it also affect the upstream Pulseaudio Bluez5 module?

Thanks,
Mike Salvatore

Revision history for this message
Ratchanan Srirattanamet (peat-new) wrote :

For the -device module, I just noticed that upstream had (and fixed) a similar bug [1]. However, the double-freeing code path is modified by Ubuntu's patch, creating a (kind of) different bug. I don't see a similar issue for -discover module in the upstream.

So, this turns out to be not exactly Ubuntu specific, but Ubuntu requires additional patch.

[1] https://github.com/pulseaudio/pulseaudio/commit/4231befa7787dbbfdd24e7f9bb248a18cbeab7a0

Steve Beattie (sbeattie)
Changed in pulseaudio (Ubuntu):
status: New → Confirmed
assignee: nobody → Avital Ostromich (avital)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-15710 for this issue. Thanks.

Revision history for this message
Avital Ostromich (avital) wrote :

Hello Ratchanan,
Thank you for the patch. I’ve added a second patch on top to simply initialize u and set the fail condition to check u (instead of u->modargs) in module-bluez5-discover.c as otherwise it could be used uninitialized in the fail condition.
Thanks!

Revision history for this message
Avital Ostromich (avital) wrote :

Hello Ratchanan,
The patched package will be published on September 17th, when this bug will be made public, please let us know if this date doesn't work for you.
Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.14

---------------
pulseaudio (1:8.0-0ubuntu3.14) xenial-security; urgency=medium

  * SECURITY UPDATE: potential double-free in the Bluez 5 module (LP: #1884738)
    - d/p/0511-bluetooth-bluez5-fix-double-free-in-pa__init.patch:
      Only free modargs once in each of
      src/modules/bluetooth/module-bluez5-device.c and
      src/modules/bluetooth/module-bluez5-discover.c, patch thanks to Ratchanan
      Srirattanamet.
    - d/p/0512-bluetooth-bluez5-fix-double-free-2.patch: Initialize pointer
      before dereferencing in fail condition.
    - CVE-2020-15710

 -- Avital Ostromich <email address hidden> Thu, 17 Sep 2020 09:38:52 -0400

Changed in pulseaudio (Ubuntu):
status: Confirmed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers