[bluez/bluez] c04b96: a2dp: fix setup->err use-after-free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Branch: refs/heads/master
  Home:   https://github.com/bluez/bluez
  Commit: c04b96dda5ce1bbb07a72b7ffa5ad1786ccffe47
      https://github.com/bluez/bluez/commit/c04b96dda5ce1bbb07a72b7ffa5ad1786ccffe47
  Author: Pauli Virtanen <pav@xxxxxx>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    M profiles/audio/a2dp.c

  Log Message:
  -----------
  a2dp: fix setup->err use-after-free

setup->err is set to values that either are on stack of avdtp.c
routines, obtained from callbacks, or allocated on heap. This is
inconsistent, and use-after-free in some cases.

Fix by always allocating setup->err ourselves, copying any values
obtained from callbacks.  Add setup_error_set/init and do all setup->err
manipulation via them.

Fixes crash:

==994225==ERROR: AddressSanitizer: stack-use-after-return
READ of size 1 at 0x7f15ee5189c0 thread T0
    #0 0x445724 in avdtp_error_category profiles/audio/avdtp.c:657
    #1 0x41e59e in error_to_errno profiles/audio/a2dp.c:303
    #2 0x42bb23 in a2dp_reconfigure profiles/audio/a2dp.c:1336
    #3 0x7f15f1512798 in g_timeout_dispatch
    ...
Address 0x7f15ee5189c0 is located in stack of thread T0 at offset 64 in frame
    #0 0x466b76 in avdtp_parse_rej profiles/audio/avdtp.c:3056
  This frame has 2 object(s):
    [48, 49) 'acp_seid' (line 3058)
    [64, 72) 'err' (line 3057) <== Memory access at offset 64 is inside this variable


  Commit: 9fc5f9e05d840444868140a4794f42b605fa4046
      https://github.com/bluez/bluez/commit/9fc5f9e05d840444868140a4794f42b605fa4046
  Author: Vlad Pruteanu <vlad.pruteanu@xxxxxxx>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    M src/shared/util.c
    M src/shared/util.h

  Log Message:
  -----------
  shared/util: Add util_iov_append function

Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately.

==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246


  Commit: 060e3dd69ed357bfacbc26ac0d778cfacab1fb94
      https://github.com/bluez/bluez/commit/060e3dd69ed357bfacbc26ac0d778cfacab1fb94
  Author: Vlad Pruteanu <vlad.pruteanu@xxxxxxx>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    M src/shared/bap.c

  Log Message:
  -----------
  shared/bap: Use util_iov_append instead of iov_append

Use the newly created util_iov_append function from
src/shared/bap.c.


  Commit: e96a7fdd697bcba9046fd1afab75fd411c5cbf0d
      https://github.com/bluez/bluez/commit/e96a7fdd697bcba9046fd1afab75fd411c5cbf0d
  Author: Vlad Pruteanu <vlad.pruteanu@xxxxxxx>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    M client/player.c

  Log Message:
  -----------
  client/player: Use util_iov_append instead of iov_append

util_iov_append has been recently created. This implementation
allocates new memory for the appended data, while the old
version of iov_append from client/player.c did not. This could
lead to crashes in some scenarios, such as Unicast.


  Commit: 6c039398fee20165bce0e453a28d49800ff7522c
      https://github.com/bluez/bluez/commit/6c039398fee20165bce0e453a28d49800ff7522c
  Author: Sergey Bobrenok <sibobrenok@xxxxxxxxxxxxxxxxx>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    M src/btd.h
    M src/device.c
    M src/main.c
    M src/main.conf

  Log Message:
  -----------
  main.conf: Introduce GATT.Client option

General.ReverseServiceDiscovery option is responsible for two
different things:
 1. It disables SDP reverse discovering. As a side effect, some BR/EDR
 profiles cannot operate properly. E.g. AVRCP-target profile needs SDP
 results to determine the peer's AVRCP version.
 2. It disables GATT-client creation back to the GATT connection
 initiator. It may be useful for peripheral devices, especially if the
 peer doesn't expect them to connect back (and currently some IOS
 versions don't). This behavior was introduced in
 8de73cd12 ("main.conf: Make ReverseServiceDiscovery work with LE")

For peripheral devices implementing only A2DP-sink, AVRCP-target, and
GATT profiles (e.g. BT loudspeakers), it may be useful to disable
GATT-client functionality, but still have SDP reverse discovering.

Unfortunately, splitting the General.ReverseServiceDiscovery option
into two different options will break backward compatibility on the
configuration file level. So a new configuration option has been
introduced in addition to the old one.


Compare: https://github.com/bluez/bluez/compare/8060d1208673...6c039398fee2

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux