* [PATCH BlueZ 0/3] shared/util: Add util_iov_append function
@ 2024-03-19 15:19 Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 1/3] " Vlad Pruteanu
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Vlad Pruteanu @ 2024-03-19 15:19 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
andrei.istodorescu, luiz.dentz, Vlad Pruteanu
Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately. The existing calls to iov_append from
src/shared/bap.c and client/player.c were replaced with the new
util_iov_append.
==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246
Vlad Pruteanu (3):
shared/util: Add util_iov_append function
shared/bap: Use util_iov_append instead of iov_append
client/player: Use util_iov_append instead of iov_append
client/player.c | 35 ++++++++++-------------------------
src/shared/bap.c | 16 +++++-----------
src/shared/util.c | 6 ++++++
src/shared/util.h | 1 +
4 files changed, 22 insertions(+), 36 deletions(-)
--
2.39.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH BlueZ 1/3] shared/util: Add util_iov_append function
2024-03-19 15:19 [PATCH BlueZ 0/3] shared/util: Add util_iov_append function Vlad Pruteanu
@ 2024-03-19 15:19 ` Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 2/3] shared/bap: Use util_iov_append instead of iov_append Vlad Pruteanu
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Pruteanu @ 2024-03-19 15:19 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
andrei.istodorescu, luiz.dentz, Vlad Pruteanu
Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately.
==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246
---
src/shared/util.c | 6 ++++++
src/shared/util.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/src/shared/util.c b/src/shared/util.c
index 74d43671c..0e71fda02 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -536,6 +536,12 @@ void *util_iov_push_u8(struct iovec *iov, uint8_t val)
return p;
}
+void *util_iov_append(struct iovec *iov, const void *data, size_t len)
+{
+ iov->iov_base = realloc(iov->iov_base, iov->iov_len + len);
+ return util_iov_push_mem(iov, len, data);
+}
+
void *util_iov_pull(struct iovec *iov, size_t len)
{
if (!iov)
diff --git a/src/shared/util.h b/src/shared/util.h
index accacc79e..a8ba23499 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -175,6 +175,7 @@ void *util_iov_push_be24(struct iovec *iov, uint32_t val);
void *util_iov_push_le16(struct iovec *iov, uint16_t val);
void *util_iov_push_be16(struct iovec *iov, uint16_t val);
void *util_iov_push_u8(struct iovec *iov, uint8_t val);
+void *util_iov_append(struct iovec *iov, const void *data, size_t len);
void *util_iov_pull(struct iovec *iov, size_t len);
void *util_iov_pull_mem(struct iovec *iov, size_t len);
void *util_iov_pull_le64(struct iovec *iov, uint64_t *val);
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH BlueZ 2/3] shared/bap: Use util_iov_append instead of iov_append
2024-03-19 15:19 [PATCH BlueZ 0/3] shared/util: Add util_iov_append function Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 1/3] " Vlad Pruteanu
@ 2024-03-19 15:19 ` Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 3/3] client/player: " Vlad Pruteanu
2024-03-20 9:30 ` [PATCH BlueZ 0/3] shared/util: Add util_iov_append function patchwork-bot+bluetooth
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Pruteanu @ 2024-03-19 15:19 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
andrei.istodorescu, luiz.dentz, Vlad Pruteanu
Use the newly created util_iov_append function from
src/shared/bap.c.
---
src/shared/bap.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index fd99cbbca..a1749153b 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -326,12 +326,6 @@ static bool bap_db_match(const void *data, const void *match_data)
return (bdb->db == db);
}
-static void *iov_append(struct iovec *iov, size_t len, const void *d)
-{
- iov->iov_base = realloc(iov->iov_base, iov->iov_len + len);
- return util_iov_push_mem(iov, len, d);
-}
-
unsigned int bt_bap_pac_register(struct bt_bap *bap, bt_bap_pac_func_t added,
bt_bap_pac_func_t removed, void *user_data,
bt_bap_destroy_func_t destroy)
@@ -3049,9 +3043,9 @@ static void *ltv_merge(struct iovec *data, struct iovec *cont)
if (!cont || !cont->iov_len || !cont->iov_base)
return data->iov_base;
- iov_append(data, sizeof(delimiter), &delimiter);
+ util_iov_append(data, &delimiter, sizeof(delimiter));
- return iov_append(data, cont->iov_len, cont->iov_base);
+ return util_iov_append(data, cont->iov_base, cont->iov_len);
}
static void bap_pac_foreach_channel(size_t i, uint8_t l, uint8_t t, uint8_t *v,
@@ -6081,9 +6075,9 @@ static void extract_ltv(size_t i, uint8_t l, uint8_t t, uint8_t *v,
if (!ltv_match.found) {
ltv_len = l + 1;
- iov_append(ext_data->result, 1, <v_len);
- iov_append(ext_data->result, 1, &t);
- iov_append(ext_data->result, l, v);
+ util_iov_append(ext_data->result, <v_len, 1);
+ util_iov_append(ext_data->result, &t, 1);
+ util_iov_append(ext_data->result, v, l);
}
}
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH BlueZ 3/3] client/player: Use util_iov_append instead of iov_append
2024-03-19 15:19 [PATCH BlueZ 0/3] shared/util: Add util_iov_append function Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 1/3] " Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 2/3] shared/bap: Use util_iov_append instead of iov_append Vlad Pruteanu
@ 2024-03-19 15:19 ` Vlad Pruteanu
2024-03-20 9:30 ` [PATCH BlueZ 0/3] shared/util: Add util_iov_append function patchwork-bot+bluetooth
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Pruteanu @ 2024-03-19 15:19 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
andrei.istodorescu, luiz.dentz, Vlad Pruteanu
util_iov_append has been recently created. This implementation
allocates new memory for the appended data, while the old
version of iov_append from client/player.c did not. This could
lead to crashes in some scenarios, such as Unicast.
---
client/player.c | 35 ++++++++++-------------------------
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/client/player.c b/client/player.c
index 8081ddc13..ab33bfc46 100644
--- a/client/player.c
+++ b/client/player.c
@@ -1951,23 +1951,6 @@ static void append_properties(DBusMessageIter *iter,
dbus_message_iter_close_container(iter, &dict);
}
-static struct iovec *iov_append(struct iovec **iov, const void *data,
- size_t len)
-{
- if (!*iov)
- *iov = new0(struct iovec, 1);
-
- if (!((*iov)->iov_base))
- (*iov)->iov_base = new0(uint8_t, UINT8_MAX);
-
- if (data && len) {
- memcpy((*iov)->iov_base + (*iov)->iov_len, data, len);
- (*iov)->iov_len += len;
- }
-
- return *iov;
-}
-
static int parse_chan_alloc(DBusMessageIter *iter, uint32_t *location,
uint8_t *channels)
{
@@ -2033,7 +2016,8 @@ static DBusMessage *endpoint_select_properties_reply(struct endpoint *ep,
location >> 8, location >> 16, location >> 24
};
- iov_append(&cfg->caps, &chan_alloc_ltv, sizeof(chan_alloc_ltv));
+ util_iov_append(cfg->caps, &chan_alloc_ltv,
+ sizeof(chan_alloc_ltv));
}
/* Copy metadata */
@@ -3540,7 +3524,7 @@ static void endpoint_config(const char *input, void *user_data)
data = str2bytearray((char *) input, &len);
- iov_append(&cfg->caps, data, len);
+ util_iov_append(cfg->caps, data, len);
free(data);
endpoint_set_config(cfg);
@@ -3662,7 +3646,7 @@ static void config_endpoint_iso_group(const char *input, void *user_data)
static void endpoint_set_config_bcast(struct endpoint_config *cfg)
{
cfg->ep->bcode = g_new0(struct iovec, 1);
- iov_append(&cfg->ep->bcode, bcast_code,
+ util_iov_append(cfg->ep->bcode, bcast_code,
sizeof(bcast_code));
if ((strcmp(cfg->ep->uuid, BAA_SERVICE_UUID) == 0)) {
@@ -3707,8 +3691,9 @@ static void cmd_config_endpoint(int argc, char *argv[])
goto fail;
}
+ cfg->caps = g_new0(struct iovec, 1);
/* Copy capabilities */
- iov_append(&cfg->caps, preset->data.iov_base,
+ util_iov_append(cfg->caps, preset->data.iov_base,
preset->data.iov_len);
/* Set QoS parameters */
@@ -3937,7 +3922,7 @@ static void custom_length(const char *input, void *user_data)
ltv[2] = len;
ltv[3] = len >> 8;
- iov_append(&iov, ltv, sizeof(ltv));
+ util_iov_append(iov, ltv, sizeof(ltv));
bt_shell_prompt_input("QoS", "Enter Target Latency "
"(Low, Balance, High):",
@@ -3963,7 +3948,7 @@ static void custom_location(const char *input, void *user_data)
location = cpu_to_le32(location);
memcpy(<v[2], &location, sizeof(location));
- iov_append(&iov, ltv, sizeof(ltv));
+ util_iov_append(iov, ltv, sizeof(ltv));
}
bt_shell_prompt_input("Codec", "Enter frame length:",
@@ -4006,7 +3991,7 @@ static void custom_duration(const char *input, void *user_data)
return bt_shell_noninteractive_quit(EXIT_FAILURE);
}
- iov_append(&iov, ltv, sizeof(ltv));
+ util_iov_append(iov, ltv, sizeof(ltv));
bt_shell_prompt_input("Codec", "Enter channel allocation:",
custom_location, user_data);
@@ -4074,7 +4059,7 @@ static void custom_frequency(const char *input, void *user_data)
free(iov->iov_base);
iov->iov_base = NULL;
iov->iov_len = 0;
- iov_append(&iov, ltv, sizeof(ltv));
+ util_iov_append(iov, ltv, sizeof(ltv));
bt_shell_prompt_input("Codec", "Enter frame duration (ms):",
custom_duration, user_data);
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH BlueZ 0/3] shared/util: Add util_iov_append function
2024-03-19 15:19 [PATCH BlueZ 0/3] shared/util: Add util_iov_append function Vlad Pruteanu
` (2 preceding siblings ...)
2024-03-19 15:19 ` [PATCH BlueZ 3/3] client/player: " Vlad Pruteanu
@ 2024-03-20 9:30 ` patchwork-bot+bluetooth
3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+bluetooth @ 2024-03-20 9:30 UTC (permalink / raw
To: Vlad Pruteanu
Cc: linux-bluetooth, mihai-octavian.urzica, silviu.barbulescu,
iulia.tanasescu, andrei.istodorescu, luiz.dentz
Hello:
This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 19 Mar 2024 17:19:14 +0200 you wrote:
> Currently iov_append is defined in 2 places, client/player.c and
> src/shared/bap.c. The player.c implementation is faulty as it
> does not allocate additional memory for the data that it appends
> to the original iovec. This can cause buffer overflows such as
> the one attached at the end of this message, which was discovered
> while running an Unicast setup. Therefore, the implementation from
> src/shared/bap.c was used to create util_iov_append as it allocates
> new memory appropriately. The existing calls to iov_append from
> src/shared/bap.c and client/player.c were replaced with the new
> util_iov_append.
>
> [...]
Here is the summary with links:
- [BlueZ,1/3] shared/util: Add util_iov_append function
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=9fc5f9e05d84
- [BlueZ,2/3] shared/bap: Use util_iov_append instead of iov_append
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=060e3dd69ed3
- [BlueZ,3/3] client/player: Use util_iov_append instead of iov_append
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e96a7fdd697b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-03-20 9:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-19 15:19 [PATCH BlueZ 0/3] shared/util: Add util_iov_append function Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 1/3] " Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 2/3] shared/bap: Use util_iov_append instead of iov_append Vlad Pruteanu
2024-03-19 15:19 ` [PATCH BlueZ 3/3] client/player: " Vlad Pruteanu
2024-03-20 9:30 ` [PATCH BlueZ 0/3] shared/util: Add util_iov_append function patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).