2024-03-20 21:04:07

by Silviu Florian Barbulescu

Subject: [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function

Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c

[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769

Silviu Florian Barbulescu (1):
Fix crash in iov_append_ltv function

client/player.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)


base-commit: b8ad3490a3507476844d6c6a87b2cb336f7d4eb9
--
2.39.2

2024-03-20 21:04:18

by Silviu Florian Barbulescu

Subject: [PATCH BlueZ 1/1] Fix crash in iov_append_ltv function

Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c

[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
=================================================================
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769
---
client/player.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/client/player.c b/client/player.c
index ab33bfc46..d3ff15adb 100644
--- a/client/player.c
+++ b/client/player.c
@@ -3553,22 +3553,6 @@ done:
endpoint_set_config(cfg);
}

-static struct iovec *iov_append_ltv(struct iovec **iov, uint8_t l,
- uint8_t t, void *v)
-{
- if (!*iov)
- *iov = new0(struct iovec, 1);
-
- if (!((*iov)->iov_base))
- (*iov)->iov_base = new0(uint8_t, l + 1);
-
- util_iov_push_u8(*iov, l);
- util_iov_push_u8(*iov, t);
- util_iov_push_mem(*iov, l - 1, v);
-
- return *iov;
-}
-
static void config_endpoint_channel_location(const char *input, void *user_data)
{
struct endpoint_config *cfg = user_data;
@@ -3587,7 +3571,7 @@ static void config_endpoint_channel_location(const char *input, void *user_data)

/* Add Channel Allocation LTV in capabilities */
location = cpu_to_le32(location);
- iov_append_ltv(&cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN,
+ util_ltv_push(cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN - 1,
LC3_CONFIG_CHAN_ALLOC, &location);

add_meta:
--
2.39.2

2024-03-20 22:38:14

by bluez.test.bot

Subject: RE: Fix crash in iov_append_ltv function

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=836840

---Test result---

Test Summary:
CheckPatch PASS 0.56 seconds
GitLint PASS 0.40 seconds
BuildEll PASS 24.46 seconds
BluezMake PASS 1649.90 seconds
MakeCheck PASS 13.13 seconds
MakeDistcheck PASS 176.79 seconds
CheckValgrind PASS 246.92 seconds
CheckSmatch PASS 349.41 seconds
bluezmakeextell PASS 119.45 seconds
IncrementalBuild PASS 1431.16 seconds
ScanBuild PASS 1008.29 seconds



---
Regards,
Linux Bluetooth

2024-03-22 10:10:44

by patchwork-bot+bluetooth

Subject: Re: [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:

On Wed, 20 Mar 2024 23:03:49 +0200 you wrote:
> Fix function iov_append_ltv crashes because is not reallocating memory
> Use util_ltv_push from util.c
>
> [bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
> [bluetooth]# Endpoint /local/endpoint/ep0 registered
> endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
> [/local/endpoint/ep0] BIG (auto/value): 0
> [/local/endpoint/ep0] Enter channel location (value/no): 3
> ==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
> address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
> sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
> 0x561971611e0d in put_u8 src/shared/util.h:254
> 0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
> 0x5619715c28f0 in iov_append_ltv client/player.c:3565
> 0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
> 0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
> 0x561971623087 in rl_handler src/shared/shell.c:769
>
> [...]

Here is the summary with links:
- [BlueZ,1/1] Fix crash in iov_append_ltv function
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=bbf198280e70

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html