LinuxLists.cc - [bluez/bluez] c04b96: a2dp: fix setup->err use-after-free

2024-03-20 09:32:11

Subject: [bluez/bluez] c04b96: a2dp: fix setup->err use-after-free

Branch: refs/heads/master
Home: https://github.com/bluez/bluez
Commit: c04b96dda5ce1bbb07a72b7ffa5ad1786ccffe47
https://github.com/bluez/bluez/commit/c04b96dda5ce1bbb07a72b7ffa5ad1786ccffe47
Author: Pauli Virtanen <[email protected]>
Date: 2024-03-20 (Wed, 20 Mar 2024)

Changed paths:
M profiles/audio/a2dp.c

Log Message:
-----------
a2dp: fix setup->err use-after-free

setup->err is set to values that either are on stack of avdtp.c
routines, obtained from callbacks, or allocated on heap. This is
inconsistent, and use-after-free in some cases.

Fix by always allocating setup->err ourselves, copying any values
obtained from callbacks. Add setup_error_set/init and do all setup->err
manipulation via them.

Fixes crash:

==994225==ERROR: AddressSanitizer: stack-use-after-return
READ of size 1 at 0x7f15ee5189c0 thread T0
#0 0x445724 in avdtp_error_category profiles/audio/avdtp.c:657
#1 0x41e59e in error_to_errno profiles/audio/a2dp.c:303
#2 0x42bb23 in a2dp_reconfigure profiles/audio/a2dp.c:1336
#3 0x7f15f1512798 in g_timeout_dispatch
...
Address 0x7f15ee5189c0 is located in stack of thread T0 at offset 64 in frame
#0 0x466b76 in avdtp_parse_rej profiles/audio/avdtp.c:3056
This frame has 2 object(s):
[48, 49) 'acp_seid' (line 3058)
[64, 72) 'err' (line 3057) <== Memory access at offset 64 is inside this variable

Commit: 9fc5f9e05d840444868140a4794f42b605fa4046
https://github.com/bluez/bluez/commit/9fc5f9e05d840444868140a4794f42b605fa4046
Author: Vlad Pruteanu <[email protected]>
Date: 2024-03-20 (Wed, 20 Mar 2024)

Changed paths:
M src/shared/util.c
M src/shared/util.h

Log Message:
-----------
shared/util: Add util_iov_append function

Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately.

==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246

Commit: 060e3dd69ed357bfacbc26ac0d778cfacab1fb94
https://github.com/bluez/bluez/commit/060e3dd69ed357bfacbc26ac0d778cfacab1fb94
Author: Vlad Pruteanu <[email protected]>
Date: 2024-03-20 (Wed, 20 Mar 2024)

Changed paths:
M src/shared/bap.c

Log Message:
-----------
shared/bap: Use util_iov_append instead of iov_append

Use the newly created util_iov_append function from
src/shared/bap.c.

Commit: e96a7fdd697bcba9046fd1afab75fd411c5cbf0d
https://github.com/bluez/bluez/commit/e96a7fdd697bcba9046fd1afab75fd411c5cbf0d
Author: Vlad Pruteanu <[email protected]>
Date: 2024-03-20 (Wed, 20 Mar 2024)

Changed paths:
M client/player.c

Log Message:
-----------
client/player: Use util_iov_append instead of iov_append

util_iov_append has been recently created. This implementation
allocates new memory for the appended data, while the old
version of iov_append from client/player.c did not. This could
lead to crashes in some scenarios, such as Unicast.

Commit: 6c039398fee20165bce0e453a28d49800ff7522c
https://github.com/bluez/bluez/commit/6c039398fee20165bce0e453a28d49800ff7522c
Author: Sergey Bobrenok <[email protected]>
Date: 2024-03-20 (Wed, 20 Mar 2024)

Changed paths:
M src/btd.h
M src/device.c
M src/main.c
M src/main.conf

Log Message:
-----------
main.conf: Introduce GATT.Client option

General.ReverseServiceDiscovery option is responsible for two
different things:
1. It disables SDP reverse discovering. As a side effect, some BR/EDR
profiles cannot operate properly. E.g. AVRCP-target profile needs SDP
results to determine the peer's AVRCP version.
2. It disables GATT-client creation back to the GATT connection
initiator. It may be useful for peripheral devices, especially if the
peer doesn't expect them to connect back (and currently some IOS
versions don't). This behavior was introduced in
8de73cd12 ("main.conf: Make ReverseServiceDiscovery work with LE")

For peripheral devices implementing only A2DP-sink, AVRCP-target, and
GATT profiles (e.g. BT loudspeakers), it may be useful to disable
GATT-client functionality, but still have SDP reverse discovering.

Unfortunately, splitting the General.ReverseServiceDiscovery option
into two different options will break backward compatibility on the
configuration file level. So a new configuration option has been
introduced in addition to the old one.

Compare: https://github.com/bluez/bluez/compare/8060d1208673...6c039398fee2

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications