From: Luiz Augusto von Dentz <[email protected]>
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
---
obexd/client/pbap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
index 1ed8c68eccd0..2d2aa950898c 100644
--- a/obexd/client/pbap.c
+++ b/obexd/client/pbap.c
@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
data = value;
}
- if (memcmp(pbap->primary, data, len)) {
+ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
memcpy(pbap->primary, data, len);
g_dbus_emit_property_changed(conn,
obc_session_get_path(pbap->session),
@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
data = value;
}
- if (memcmp(pbap->secondary, data, len)) {
+ if (len == sizeof(pbap->secondary) &&
+ memcmp(pbap->secondary, data, len)) {
memcpy(pbap->secondary, data, len);
g_dbus_emit_property_changed(conn,
obc_session_get_path(pbap->session),
--
2.41.0
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Tue, 19 Sep 2023 12:14:01 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> Primary/Secundary Counters are supposed to be 16 bytes values, if the
> server has implemented them incorrectly it may lead to the following
> crash:
>
> =================================================================
> ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
>
> [...]
Here is the summary with links:
- [BlueZ] pbap: Fix not checking Primary/Secundary Counter length
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=5ab5352531a9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html