mbox series

[BlueZ,0/3] shared/util: Add util_iov_append function

Message ID 20240319151917.834974-1-vlad.pruteanu@nxp.com (mailing list archive)
Headers show
Series shared/util: Add util_iov_append function | expand

Message

Vlad Pruteanu March 19, 2024, 3:19 p.m. UTC
Currently iov_append is defined in 2 places, client/player.c and
src/shared/bap.c. The player.c implementation is faulty as it
does not allocate additional memory for the data that it appends
to the original iovec. This can cause buffer overflows such as
the one attached at the end of this message, which was discovered
while running an Unicast setup. Therefore, the implementation from
src/shared/bap.c was used to create util_iov_append as it allocates
new memory appropriately. The existing calls to iov_append from
src/shared/bap.c and client/player.c were replaced with the new
util_iov_append.

==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98
WRITE of size 6 at 0x602000059dda thread T0
0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer
/sanitizer_common/sanitizer_common_interceptors.inc:899
1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/
string_fortified.h:29
2 0x5579661314aa in iov_append client/player.c:2120
3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191
4 0x557966132a6f in endpoint_select_properties client/player.c:2268
5 0x55796616e0b4 in process_message gdbus/object.c:246

Vlad Pruteanu (3):
  shared/util: Add util_iov_append function
  shared/bap: Use util_iov_append instead of iov_append
  client/player: Use util_iov_append instead of iov_append

 client/player.c   | 35 ++++++++++-------------------------
 src/shared/bap.c  | 16 +++++-----------
 src/shared/util.c |  6 ++++++
 src/shared/util.h |  1 +
 4 files changed, 22 insertions(+), 36 deletions(-)

Comments

patchwork-bot+bluetooth@kernel.org March 20, 2024, 9:30 a.m. UTC | #1
Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 19 Mar 2024 17:19:14 +0200 you wrote:
> Currently iov_append is defined in 2 places, client/player.c and
> src/shared/bap.c. The player.c implementation is faulty as it
> does not allocate additional memory for the data that it appends
> to the original iovec. This can cause buffer overflows such as
> the one attached at the end of this message, which was discovered
> while running an Unicast setup. Therefore, the implementation from
> src/shared/bap.c was used to create util_iov_append as it allocates
> new memory appropriately. The existing calls to iov_append from
> src/shared/bap.c and client/player.c were replaced with the new
> util_iov_append.
> 
> [...]

Here is the summary with links:
  - [BlueZ,1/3] shared/util: Add util_iov_append function
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=9fc5f9e05d84
  - [BlueZ,2/3] shared/bap: Use util_iov_append instead of iov_append
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=060e3dd69ed3
  - [BlueZ,3/3] client/player: Use util_iov_append instead of iov_append
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e96a7fdd697b

You are awesome, thank you!