Re: [PATCH] lib: Browsing services using sdptool can lead to writing to invalid heap locations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Johan

On 04/04/2013 02:38 PM, Johan Hedberg wrote:
Hi Arek,

On Thu, Apr 04, 2013, Arkadiusz Lichwa wrote:
valgrind's output of exemplary call: sdptool browse local

==2203== HEAP SUMMARY:
==2203==     in use at exit: 0 bytes in 0 blocks
==2203==   total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203==    at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==  Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203==    at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203==    by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203==    at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203==    by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==  Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203==    at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203==    by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==    by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
---
  lib/sdp.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/lib/sdp.c b/lib/sdp.c
index 6c73818..cc685b4 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4429,6 +4429,11 @@ int sdp_service_search_attr_req(sdp_session_t *session, const sdp_list_t *search
/* add service class IDs for search */
  	seqlen = gen_searchseq_pdu(pdata, search);
+	if (seqlen < 0) {
+		errno = EINVAL;
+		status = -1;
+		goto end;
+	}
SDPDBG("Data seq added : %d\n", seqlen);
The patch looks correct and I've applied it, but could you explain how
exactly you reproduced the issue? I didn't get any valgrind warnings
when trying your suggested "sdptool browse local".

Johan

Just run latest bluetoothd with -dnC
Then start quering local sdp server using latest sdptool.
The problem is when there's a registered service PnP and contains sdp attribute ID number 0x200, PnP version number. Probably any other service that holds such attribute ID will trigger that as well. The issue is likely related to latest commit from David Herrmann that maybe unveils some "misfunctionality" of sdp lib subsystem. The wrong calculated offsets are related to internal sdp subcalls that "gen_searchseq_pdu" call,
and that they returns sometimes -ENOMEM (12) as result.
That value can cause movement of "current pointer" of allocated "sdprequest buffer" to invalid position before following writings to it.

/Arek
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux