Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-2610-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
From: Vlad Pruteanu <vlad.pruteanu@nxp.com>
To: linux-bluetooth@vger.kernel.org
Cc: mihai-octavian.urzica@nxp.com,
	silviu.barbulescu@nxp.com,
	iulia.tanasescu@nxp.com,
	andrei.istodorescu@nxp.com,
	luiz.dentz@gmail.com,
	Vlad Pruteanu <vlad.pruteanu@nxp.com>
Subject: [PATCH BlueZ 1/3] shared/util: Add util_iov_append function
Date: Tue, 19 Mar 2024 17:19:15 +0200
Message-Id: <20240319151917.834974-2-vlad.pruteanu@nxp.com>
In-Reply-To: <20240319151917.834974-1-vlad.pruteanu@nxp.com>
References: <20240319151917.834974-1-vlad.pruteanu@nxp.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?us-ascii?Q?2bSSmbQKH32/d8vA3TBv7olIkINq6p7zypiLlaLnFJ+szFeYXIHq1/rVWaZD?=
 =?us-ascii?Q?b9WQzeRJdroS+d+LNuBoliPsLdS/NfIYtl8Wo7ofvHgCfI8+vZ59J5r//4m2?=
 =?us-ascii?Q?2VlfDroy7Y49A3d2FoEHDO0SWBJyJH1egU8t72T27xmx1nTDr9UOMZ/4t2Ut?=
 =?us-ascii?Q?Y7ctai6Fh+stoySZgLF+blIXZDmdMcX0Fr69zkA9dbKKfLWg8maoP9V8kU6s?=
 =?us-ascii?Q?Kw07yd+26fRM73RneNhhaNog9ATYlSO28vxiXPNdR8sIEShhrFJFplviK6yj?=
 =?us-ascii?Q?iGHMlneKMQKQGL5TKFd86672ZmwPg/Dx40+U8XDyLm3kuTZuFAtngt1XntyR?=
 =?us-ascii?Q?j79lMW+hzzkaAiDkRJ2giHX/W3bnG6Jbkm0DcfPoj3dc+rSmgkg6Sz2y9WHd?=
 =?us-ascii?Q?m+4swjA8M7WsrTmlYbh5BHQX3+PRg4eY1gEGrM8WzH1OKI3Y0yYMM8KcyyDc?=
 =?us-ascii?Q?WUs0ZfnqKF9dWiw8J0yksuC2xe5Pb53S/N8ot0BARYAF9wqO1YwKFpzBmcIl?=
 =?us-ascii?Q?qdXOI5M++WLzRnAv13B/MsS7/XdHpDsKD7iHKZqWkhH0ZZnN8B4KR7nIiU90?=
 =?us-ascii?Q?O+/NKpfAuDMy4pRu+Ks1PmZrnf67m5p8Um5AuKpdcXG4VgdlleE7oyrHdhnG?=
 =?us-ascii?Q?ymoLx4hGcoTvXu3Nbt9xrnU6F6A91Mn06S7phM9JF06j82VvjrL8RF2xtAgO?=
 =?us-ascii?Q?C5Bd3RNNxC++Vm3HuvOahE9e1zEXZ4WNIgZLkWJAvuN1V7j1aBERyJypwg0G?=
 =?us-ascii?Q?jRNJGdGRJNFuycFVKJAgX46JH2a18SHWii8HkOr0j+ryb8BYmTO14OItmg4l?=
 =?us-ascii?Q?XGvBudzy4sR5hg6TJKYTqwtW0Hd3vFz70KqLKvo7mq/IRs+yor6MLz6D7zZj?=
 =?us-ascii?Q?GQcfR/HW3YXMP0gf/stCNp0+4g7rDbqzYDZVMdLLRxEkY3bpcmf6ZmUpZ5MI?=
 =?us-ascii?Q?lCK3/4rIelxi+9C2iE0BB9LgunB6/4oS1VfAu8i8J/E8bElvLl/Frtsh49UB?=
 =?us-ascii?Q?eBHVKxI3P4r+uIWD9h88MB+SSQf+KLYsgheUWnAIpwP6Z2XDmcjXqfzWemRd?=
 =?us-ascii?Q?0lS2bS1DJWsppBZo0cgcIFJGK15cByTntQNEkXx3GX80sMfY4r/tyKzs/nXM?=
 =?us-ascii?Q?7+PYa9JW//LEAbdnqtNrSXbBZCc72aX8EL7JvzQM31mFqv8F0DzgecjF4YAA?=
 =?us-ascii?Q?z0pj7t02DFdbzHnpN48uJHbXacaYh82k/gLPeq9NcNW6+IhAd2qJPEIOdtT5?=
 =?us-ascii?Q?EMma+toskuW3cKg9gvUXZhFt/KX7SWZbc4Jzn/oCN4oIUJjUvheCUBMyuI2S?=
 =?us-ascii?Q?RT74aHw4lqBfWQa1UdA0N1DnfKivC+vL2wsPibOS+PFOzFeeuUjyfwDqBs+v?=
 =?us-ascii?Q?jQygrwX8UAPICyFOezjBs1mHuFHKj5qLct1tOFvbOqZ301nWxSn4k8C2GgxG?=
 =?us-ascii?Q?ogdOs3F7QRkqb5Ih5tyPTXttjTFiuWZoGyjAgzh1z1V2j3VzS7XB10mG53B1?=
 =?us-ascii?Q?8P3EwsarwFCzG1UOdf7FDlGfMuiIlpS833PzHk6Mf7CCU6VJN40/60SbP2JJ?=
 =?us-ascii?Q?QkC1+pKwTlT+VxJofovUcfZRhuGugKAXpAv/tQRE?=
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6758697-3305-4520-9f82-08dc4828029a
X-MS-Exchange-CrossTenant-AuthSource: AM6PR04MB5384.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Mar 2024 15:19:46.1076
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: WqwiFyzipNXoKmn5HXOUA1n1pzKjzhoGy5DUDnSff2WMFlugqSz3JjPLkMtan82a2qwjXC991xiJfYUY9dUeCQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS5PR04MB9924

Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately.

==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246
---
 src/shared/util.c | 6 ++++++
 src/shared/util.h | 1 +
 2 files changed, 7 insertions(+)

diff --git a/src/shared/util.c b/src/shared/util.c
index 74d43671c..0e71fda02 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -536,6 +536,12 @@ void *util_iov_push_u8(struct iovec *iov, uint8_t val)
 	return p;
 }
 
+void *util_iov_append(struct iovec *iov, const void *data, size_t len)
+{
+	iov->iov_base = realloc(iov->iov_base, iov->iov_len + len);
+	return util_iov_push_mem(iov, len, data);
+}
+
 void *util_iov_pull(struct iovec *iov, size_t len)
 {
 	if (!iov)
diff --git a/src/shared/util.h b/src/shared/util.h
index accacc79e..a8ba23499 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -175,6 +175,7 @@ void *util_iov_push_be24(struct iovec *iov, uint32_t val);
 void *util_iov_push_le16(struct iovec *iov, uint16_t val);
 void *util_iov_push_be16(struct iovec *iov, uint16_t val);
 void *util_iov_push_u8(struct iovec *iov, uint8_t val);
+void *util_iov_append(struct iovec *iov, const void *data, size_t len);
 void *util_iov_pull(struct iovec *iov, size_t len);
 void *util_iov_pull_mem(struct iovec *iov, size_t len);
 void *util_iov_pull_le64(struct iovec *iov, uint64_t *val);
-- 
2.39.2