HCI_EVT Packet 'Flush Occurred' Misalignment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

Our fuzzing tool found a possible bug when testing Bluetooth RFCOMM connection:

(1) A'Flush Occurred'  HCI_EVT packet with incorrect'parameter_total_length' field and parameters was maliciously sent to the host (hexadecimal content:'11 3D C4 02 62 D1').

(2) Because'hci_ev_table'(/net/bluetooth/hci_event.c: 7514) does not include'Flush Occurred'  event, the function'hci_event_func'(/net/bluetooth/hci_event.c: 7644) doesn't check the'parameter_total_length'  field of this packet.

(3) When the controller transmits additional HCI packets to the host, these packets are concatenated to the previously mentioned Flush Occurred packet. This results in the packets being disregarded by the host.

Attachment 1 is Kernel Log, which includes the printed HCI packet interactions between the host and controller. All HCI packets following the line mentioned below are ignored by the host:

'''
[ 1555.520646] <- [EVT] 11 3D C4 02 62 D1
'''
Attachment 2 contains packet captures from tshark.

It remains unclear whether this behavior constitutes a bug or a feature. We apologize if this inquiry causes any offense.
Thank you very much for taking the time to read.

Best Regard,
Yuxuan Hu.

[QServer] begin connect_bt()
[ 1555.339622] -> [CMD] 05 04 0D A8 25 D1 EB 27 B8 18 CC 02 00 00 00 01 
[ 1555.340174] <- [EVT] 0F 04 00 01 05 04 
[ 1555.342970] <- [EVT] 12 08 00 A8 25 D1 EB 27 B8 01 
[ 1555.346455] <- [EVT] 03 0B 00 0B 00 A8 25 D1 EB 27 B8 01 00 
[ 1555.347006] -> [CMD] 1B 04 02 0B 00 
[ 1555.348244] <- [EVT] 1B 03 0B 00 05 
[ 1555.366018] <- [ACL] 0B 20 0A 00 06 00 01 00 0A 01 02 00 02 00 
[ 1555.366732] <- [EVT] 0F 04 00 01 1B 04 
[ 1555.367217] -> [CMD] 1A 0C 01 00 
[ 1555.368936] <- [EVT] 0B 0B 00 0B 00 BF FE CF FE DB FF 7B 87 
[ 1555.369797] <- [EVT] 0E 04 01 1A 0C 00 
[ 1555.370167] -> [CMD] 1C 04 03 0B 00 01 
[ 1555.370636] <- [EVT] 0E 04 01 1A 0C 00 
[ 1555.420106] <- [EVT] 0F 04 00 01 1C 04 
[ 1555.422120] <- [EVT] 23 0D 00 0B 00 01 02 0B 00 00 00 00 00 00 00 
[ 1555.422621] -> [CMD] 19 04 0A A8 25 D1 EB 27 B8 02 00 00 00 
[ 1555.423364] <- [EVT] 0F 04 00 01 19 04 
[ 1555.461405] <- [EVT] 07 FF 00 A8 25 D1 EB 27 B8 72 61 73 70 62 65 72 72 79 70 69 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[ 1555.467514] -> [CMD] 11 04 02 0B 00 
[ 1555.468315] <- [EVT] 0F 04 00 01 11 04 
[ 1555.485182] <- [EVT] 17 06 A8 25 D1 EB 27 B8 
[ 1555.485709] -> [CMD] 0B 04 16 A8 25 D1 EB 27 B8 E9 B7 A0 53 44 FD 0C B8 97 8C BD BA 32 8F 86 B3 
[ 1555.486957] <- [EVT] 0E 0A 01 0B 04 00 A8 25 D1 EB 27 B8 
[ 1555.520133] <- [EVT] 06 03 00 0B 00 
[ 1555.520380] -> [CMD] 13 04 03 0B 00 01 
[ 1555.520646] <- [EVT] 11 3D C4 02 62 D1 
[ 1555.551894] <- [EVT] 08 04 00 0B 00 02 
[ 1555.600941] <- [EVT] ED BA 47 91 D0 26 0A 9F B7 
[ 1555.631916] <- [ACL] 0B 20 10 00 0C 00 01 00 0B 01 08 00 02 00 00 00 B8 02 00 00 
[ 1555.633901] <- [EVT] 13 05 01 0B 00 02 00 
[ 1555.683037] <- [ACL] 0B 20 0A 00 06 00 01 00 0A 02 02 00 03 00 
[ 1555.731917] <- [ACL] F4 07 82 F1 3A 9F 14 4B 2C 26 5C 72 AE AC AE F3 5A E9 80 39 12 D4 4C 6A 
[ 1555.733884] <- [EVT] 13 05 01 0B 00 02 00 
[ 1555.782932] <- [ACL] 0B 20 10 00 0C 00 01 00 03 03 08 00 40 00 40 00 00 00 00 00 
[ 1555.831901] <- [ACL] 0B 20 1B 00 17 00 01 00 04 03 13 00 40 00 00 00 01 02 FD 03 04 09 00 00 00 00 00 00
 00 00 00 
[ 1555.863917] <- [EVT] 13 05 01 0B 00 02 00 
[ 1555.912959] <- [ACL] 0B 20 12 00 0E 00 01 00 05 04 0A 00 40 00 00 00 00 00 01 02 FD 03 
[ 1555.946899] <- [EVT] 13 05 01 0B 00 02 00 
[ 1555.995923] <- [ACL] 0B 20 08 00 04 00 40 00 03 73 01 D7 
[ 1556.044926] <- [ACL] 0B 20 12 00 0E 00 40 00 01 EF 15 81 11 02 E0 07 00 F8 03 00 07 AA 
[ 1556.061899] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.110907] <- [ACL] 0B 20 08 00 04 00 40 00 0B 73 01 92 
[ 1556.159907] <- [ACL] 0B 20 0C 00 08 00 40 00 01 EF 09 E3 05 0B 8D AA 
[ 1556.208912] <- [ACL] 0B 20 0C 00 08 00 40 00 01 EF 09 E1 05 0B 8D AA 
[ 1556.210888] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.212892] <- [ACL] 0B 20 09 00 05 00 40 00 09 FF 01 21 5C 
[ 1556.245903] <- [ACL] 0B 20 1A 00 16 00 40 00 09 EF 25 48 65 6C 6C 6F 20 66 72 6F 6D 20 51 53 65 72 76 65
 72 40 
[ 1556.247881] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.296901] <- [ACL] 0B 20 08 00 04 00 40 00 09 53 01 D9 
[ 1556.327897] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.376905] <- [ACL] 0B 20 08 00 04 00 40 00 0B 73 01 92 
[ 1556.425915] <- [ACL] 0B 20 08 00 04 00 40 00 0B 1F 01 73 
[ 1556.635936] <- [EVT] 13 05 01 0B 00 01 00 
[ 1556.684891] <- [ACL] 0B 20 08 00 04 00 40 00 01 53 01 9C 
[ 1556.733904] <- [ACL] 0B 20 08 00 04 00 40 00 03 73 01 D7 
[ 1556.782907] <- [ACL] 0B 20 0C 00 08 00 01 00 06 04 04 00 40 00 40 00 
[ 1556.815897] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.864906] <- [ACL] 0B 20 0C 00 08 00 01 00 07 05 04 00 40 00 40 00 
[ 1556.866887] <- [EVT] 13 05 01 0B 00 02 00 
[ 1556.915912] <- [EVT] 0F 04 00 01 06 04 
[ 1556.917887] <- [EVT] 05 04 00 0B 00 16 
[ 1556.966928] <- [EVT] 0E 04 01 1A 0C 00 
[ 1557.579983] Bluetooth: hci0: command 0x0413 tx timeout
[QServer] Child terminated by signal Killed

Attachment: Flush_Occurred_Misalignment.pcap
Description: Binary data

[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux