[Bug 794331] New: pulseaudio segfaults for bluetooth devices
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c0 Summary: pulseaudio segfaults for bluetooth devices Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: i586 OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: Sound AssignedTo: tiwai@suse.com ReportedBy: ptesarik@suse.com QAContact: qa-bugs@suse.de Found By: L3 Blocker: --- When trying to use a bluetooth headset with the pulseaudio bluetooth module, pulseaudio crashes as soon as the bluetooth device is paired (or at startup if the device is already present before starting pulseaudio). I have tracked this down to an overflow issue. In short, when endpoint_set_configuration() reads the D-Bus arguments, it reads the "NREC" boolean argument into a variable of type "pa_bool_t", which is only 1 byte long. However, the D-Bus boolean type (as seen on the wire, and as used by libdbus) is always 32 bits long, so this overwrites the following variable on the stack. In my case it happened to be the least significant 24 bits bytes of the path variable, effectively turning it into an invalid pointer and crashing when a strdup is attempted on that string. Upstream seems to have the same issue: http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/bluetooth... But I haven't tested with their version. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c1 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com AssignedTo|tiwai@suse.com |acho@suse.com --- Comment #1 from Takashi Iwai <tiwai@suse.com> 2012-12-13 16:06:35 UTC --- Al, could you check it? If you aren't interested, feel free to assign others :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c2 --- Comment #2 from Petr Tesařík <ptesarik@suse.com> 2012-12-13 16:14:19 UTC --- Created an attachment (id=516942) --> (http://bugzilla.novell.com/attachment.cgi?id=516942) pulseaudio-bt-dbus_bool_t.patch This patch fixes the segfault for me. I'm still getting a connection error with the patch, but that's most likely unrelated: bt_audio_service_open: connect() failed: Connection refused (111) W: [pulseaudio] module-bluetooth-device.c: Bluetooth audio service not available -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c3 Al Cho <acho@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |acho@suse.com --- Comment #3 from Al Cho <acho@suse.com> 2012-12-14 04:17:33 UTC --- Hi Petr, Would you please give us the hardware information ? ( bluetooth info , BT headset info , systemconfig , lsusb....etc, and more hardware info) Thanks, AL -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c4 Petr Tesařík <ptesarik@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |acho@suse.com --- Comment #4 from Petr Tesařík <ptesarik@suse.com> 2012-12-14 14:15:50 UTC --- Hi Al, I'm not sure it's relevant, because after applying the patch from comment #2 and a fresh restart of the Bluetooth stack, all works fine for me now. Do you still want to have the hardware details, anyway? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c5 Al Cho <acho@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|acho@suse.com | --- Comment #5 from Al Cho <acho@suse.com> 2012-12-17 06:57:04 UTC --- (In reply to comment #4)
Hi Al,
I'm not sure it's relevant, because after applying the patch from comment #2 and a fresh restart of the Bluetooth stack, all works fine for me now. Do you still want to have the hardware details, anyway?
Yes,I would like to check the patch with hardware for making more sure that fixing your problem. Please give us help to get your hardware informations. Thanks, AL -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c6 --- Comment #6 from Petr Tesařík <ptesarik@suse.com> 2012-12-17 12:18:08 UTC --- Output of hwinfo --bluetooth: 04: USB 00.0: 11500 Bluetooth Device [Created at usb.122] Unique ID: PYMB.nQKjiuCfL84 Parent ID: zPk0.7gZT0a5zLs5 SysFS ID: /devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0 SysFS BusID: 4-1:1.0 Hardware Class: bluetooth Model: "Cambridge Silicon Radio Bluetooth Dongle (HCI mode)" Hotplug: USB Vendor: usb 0x0a12 "Cambridge Silicon Radio, Ltd" Device: usb 0x0001 "Bluetooth Dongle (HCI mode)" Revision: "19.58" Driver: "btusb" Driver Modules: "btusb" Speed: 12 Mbps Module Alias: "usb:v0A12p0001d1958dcE0dsc01dp01icE0isc01ip01" Driver Info #0: Driver Status: btusb is active Driver Activation Cmd: "modprobe btusb" Config Status: cfg=new, avail=yes, need=no, active=unknown Attached to: #3 (Hub) Output of hciconfig -a: hci0: Type: BR/EDR Bus: USB BD Address: 00:15:83:3D:0A:57 ACL MTU: 384:8 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:60691936 acl:82 sco:1186838 events:263 errors:0 TX bytes:60265716 acl:112 sco:1181803 commands:66 errors:185 Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80 Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 Link policy: RSWITCH HOLD SNIFF PARK Link mode: SLAVE ACCEPT Name: 'Azariah' Class: 0x580100 Service Classes: Capturing, Object Transfer, Telephony Device Class: Computer, Uncategorized HCI Version: 2.0 (0x3) Revision: 0x7a6 LMP Version: 2.0 (0x3) Subversion: 0x7a6 Manufacturer: Cambridge Silicon Radio (10) Output of hciconfig hci0 voice: hci0: Type: BR/EDR Bus: USB BD Address: 00:15:83:3D:0A:57 ACL MTU: 384:8 SCO MTU: 64:8 Voice setting: 0x0060 (Default Condition) Input Coding: Linear Input Data Format: 2's complement Input Sample Size: 16 bit # of bits padding at MSB: 0 Air Coding Format: CVSD Output of hcitool con: Connections: > ACL EE:42:0E:44:11:24 handle 42 state 1 lm MASTER AUTH ENCRYPT Output of hcitool info EE:42:0E:44:11:24: BD Address: EE:42:0E:44:11:24 Device Name: Eurobird EBH-420 LMP Version: 2.1 (0x4) LMP Subversion: 0x422 Manufacturer: Integrated System Solution Corp. (57) Features page 0: 0xbf 0xff 0xff 0xfe 0x88 0x3d 0x19 0x82 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <park state> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme> <power control> <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <AFH cap. slave> <3-slot EDR ACL> <5-slot EDR ACL> <pause encryption> <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps> <extended inquiry> <simple pairing> <encapsulated PDU> <inquiry TX power> <extended features> Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 And most importantly, output of dbus-send --system --dest=org.bluez --print-reply /org/bluez/27561/hci0/dev_EE_42_0E_44_11_24/fd3 org.bluez.MediaTransport.GetProperties method return sender=:1.193 -> dest=:1.274 reply_serial=2 array [ dict entry( string "Device" variant object path "/org/bluez/27561/hci0/dev_EE_42_0E_44_11_24" ) dict entry( string "UUID" variant string "0000111f-0000-1000-8000-00805f9b34fb" ) dict entry( string "Codec" variant byte 0 ) dict entry( string "Configuration" variant array [ ] ) dict entry( string "NREC" variant boolean true ) dict entry( string "InbandRingtone" variant boolean false ) dict entry( string "Routing" variant string "HCI" ) ] I know that the noise-reduction/echo cancellation (NREC) property is optional, but if the pulseaudio bluetooth module decided to implement it, then it must be implemented properly, because dbus_message_iter_get_basic() will overwrite 4 bytes starting at the given address, so if you only reserve 1 byte (type pa_bool_t), the call will overwrite the following variable. I fail to see how this depends on my hardware configuration, sorry. BTW upstream is already fixed (just with a slightly different patch), see http://cgit.freedesktop.org/pulseaudio/pulseaudio/commit/src/modules/bluetoo... Would you mind backporting that fix to openSUSE? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c7 --- Comment #7 from Petr Tesařík <ptesarik@suse.com> 2013-01-18 18:40:13 UTC --- Ping! My setup has just broken again with the last update of pulseaudio-module-bluetooth. Needless to say, the above patch fixes the issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c8 Jeffrey Cheung <jcheung@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |jcheung@suse.com InfoProvider| |ptesarik@suse.com --- Comment #8 from Jeffrey Cheung <jcheung@suse.com> 2013-06-04 03:01:27 UTC --- Hi Petr, Can you try the openSUSE 12.3 which the kernel and packages are updated. I wonder if then fixed your problem ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c9 Petr Tesařík <ptesarik@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|ptesarik@suse.com | Resolution| |WONTFIX --- Comment #9 from Petr Tesařík <ptesarik@suse.com> 2013-06-06 05:36:50 UTC --- Hi Jeffrey, of course the bug is fixed in openSUSE 12.3, because it is based on upstream version 3.0, which includes the fix from my comment #6. FWIW you could have checked it yourself... So, basically, I translate it into a "WONTFIX in openSUSE 12.2". Why didn't you tell me when I asked if you would mind backporting the fix? *disappointed user* -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com