This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
This adds decoding for the error code in the error response:
> test-sdp: User Data RX
Channel: 0 len 7 [PSM 1 mode 0] {chan 0}
SDP: Error Response (0x01) tid 2 len 2
Error code: Invalid Continuation State (0x0005)
Fix segfault caused by buffer over-read in service_rsp function of
monitor/sdp.c.
This bug can be triggered locally reading malformed btmon capture file
and also over the air by sending specifically crafted SDP Search
Attribute response to device running btmon.
Bug was found by fuzzing btmon with AFL.
Fix segfault caused by integer underflow in decode_data_element function
of monitor/sdp.c.
Fix is to check that elemlen is not bigger than size before subtracting
elemlen from size. Also search_bytes + attr_bytes should not be bigger
than frame->size.
This bug can be triggered locally reading malformed btmon capture file
and also over the air by sending specifically crafted SDP Search
Attribute response to device running btmon.
This bug was found by fuzzing btmon with AFL.
Buffer overflow vulnerability in monitor/sdp.c SDP continuation handling
caused btmon to crash. This happens in global static buffer which makes
it non-trivial to exploit.
This is nasty bug in a way that this can be triggered also over the air
by sending malformed SDP Search Attribute request to device running
btmon.
This crash was foung by fuzzing btmon with AFL. Seems to be reproducible
also with Synopsys Defensics SDP Server suite.
Commit e0e7eb08d5 tried to fix this, but
missed most of the files concerned.
Without the fix an out-of-tree build (e.g. make distcheck) will throw
errors like this:
CC monitor/l2cap.o
../monitor/l2cap.c:41:18: fatal error: uuid.h: No such file or directory
#include "uuid.h"
get_tid() may return NULL if bogus tid is passed.
This fix following crash:
Invalid write of size 1
at 0x4A0A643: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/
vgpreload_memcheck-amd64-linux.so)
by 0x4218E4: search_attr_req (sdp.c:413)
by 0x42214D: sdp_packet (sdp.c:748)
by 0x41ED09: l2cap_frame (l2cap.c:2632)
by 0x414D51: packet_hci_acldata (packet.c:7713)
by 0x415133: packet_monitor (packet.c:3332)
by 0x404AEC: control_reader (control.c:911)
by 0x40231A: main (main.c:197)
Address 0x6 is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x6
at 0x4A0A643: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/
vgpreload_memcheck-amd64-linux.so)
by 0x4218E4: search_attr_req (sdp.c:413)
by 0x42214D: sdp_packet (sdp.c:748)
by 0x41ED09: l2cap_frame (l2cap.c:2632)
by 0x414D51: packet_hci_acldata (packet.c:7713)
by 0x415133: packet_monitor (packet.c:3332)
by 0x404AEC: control_reader (control.c:911)
by 0x40231A: main (main.c:197)
Strndupa is GNU extension. print_string is simple and opencoding
strndupa is not a big loss.
This fix linkage error with bionic library which doesn't provide
strndupa.
target Executable: btmon (out/target/product/grouper/obj/EXECUTABLES/
btmon_intermediates/LINKED/btmon)
prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin/../lib/gcc/
arm-linux-androideabi/4.6.x-google/../../../../
arm-linux-androideabi/bin/ld: out/target/product/grouper/obj/
EXECUTABLES/btmon_intermediates/monitor/sdp.o: in function
print_string:external/bluetooth/bluez/monitor/sdp.c:146: error:
undefined reference to 'strndupa'
collect2: ld returned 1 exit status
make: *** [out/target/product/grouper/obj/EXECUTABLES/
btmon_intermediates/LINKED/btmon] Error
This reverts commit 8a03376544.
The patch needs to be split up and the gdbus/ changes were bogus
compared to the original commit message.
Conflicts:
Makefile.am
Makefile.obexd
profiles/cyclingspeed/cyclingspeed.c
profiles/heartrate/heartrate.c
src/error.c
Instead of trying to include config.h in each file over the tree and
possibly forgetting to include it, give a "-include config.h" argument
to the compiler so it's guaranteed that a) it will be included for all
source files and b) it will be the first header included.
gdbus/ directory is left out, since it would break other projects using
it.
Instead of defining _GNU_SOURCE in each source file (and potentially
forgetting in some), tell the build system we use extensions and let it
define _GNU_SOURCE in config.h.
