[BlueZ,v2] mesh: Fix address overrun error in rx filter

Commit Message

Stotland, Inga March 25, 2022, 11:46 p.m. UTC

This fixes the following error for invalid read access when registering
filter for incoming messages:

140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
 #0 0x7f60c185741d in MemcmpInterceptorCommon(...
    #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
    #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
    #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
    #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
    #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
    #6 0x55a101086f64 in send_reply mesh/dbus.c:153
    #7 0x55a101124c3d in handle_method_return ell/dbus.c:216
    #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
    #9 0x55a1010dae20 in io_callback ell/io.c:120
    #10 0x55a1010dff7e in l_main_iterate ell/main.c:478
    #11 0x55a1010e06e3 in l_main_run ell/main.c:525
    #12 0x55a1010e06e3 in l_main_run ell/main.c:507
    #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
    #14 0x55a10100316e in main mesh/main.c:292
    #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
    #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
    #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
---
 mesh/mesh-io-generic.c | 28 +++++++++++++++++++---------
 mesh/mesh-io-unit.c    | 18 +++++++++++-------
 2 files changed, 30 insertions(+), 16 deletions(-)

Comments

bluez.test.bot@gmail.com March 26, 2022, 3:01 a.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=626461

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
GitLint                       PASS      0.45 seconds
Prep - Setup ELL              PASS      51.63 seconds
Build - Prep                  PASS      0.68 seconds
Build - Configure             PASS      10.01 seconds
Build - Make                  PASS      1755.44 seconds
Make Check                    PASS      12.14 seconds
Make Check w/Valgrind         PASS      531.49 seconds
Make Distcheck                PASS      279.33 seconds
Build w/ext ELL - Configure   PASS      10.12 seconds
Build w/ext ELL - Make        PASS      1723.72 seconds
Incremental Build with patchesPASS      0.00 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org March 26, 2022, 5:10 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Brian Gix <brian.gix@intel.com>:

On Fri, 25 Mar 2022 16:46:25 -0700 you wrote:
> This fixes the following error for invalid read access when registering
> filter for incoming messages:
> 
> 140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
>  #0 0x7f60c185741d in MemcmpInterceptorCommon(...
>     #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
>     #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
>     #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
>     #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
>     #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
>     #6 0x55a101086f64 in send_reply mesh/dbus.c:153
>     #7 0x55a101124c3d in handle_method_return ell/dbus.c:216
>     #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
>     #9 0x55a1010dae20 in io_callback ell/io.c:120
>     #10 0x55a1010dff7e in l_main_iterate ell/main.c:478
>     #11 0x55a1010e06e3 in l_main_run ell/main.c:525
>     #12 0x55a1010e06e3 in l_main_run ell/main.c:507
>     #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
>     #14 0x55a10100316e in main mesh/main.c:292
>     #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
>     #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
>     #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
> 
> [...]

Here is the summary with links:
  - [BlueZ,v2] mesh: Fix address overrun error in rx filter
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=2a2b027176d5

You are awesome, thank you!

Patch

diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 6c0b8f0fd..50a2a6a86 100644
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -810,10 +810,13 @@  static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 
 static bool find_by_filter(const void *a, const void *b)
 {
-	const struct pvt_rx_reg *rx_reg = a;
-	const uint8_t *filter = b;
+	const struct pvt_rx_reg *rx_reg_old = a;
+	const struct pvt_rx_reg *rx_reg = b;
+
+	if (rx_reg_old->len != rx_reg->len)
+		return false;
 
-	return !memcmp(rx_reg->filter, filter, rx_reg->len);
+	return !memcmp(rx_reg_old->filter, rx_reg->filter, rx_reg->len);
 }
 
 static bool recv_register(struct mesh_io *io, const uint8_t *filter,
@@ -821,16 +824,13 @@  static bool recv_register(struct mesh_io *io, const uint8_t *filter,
 {
 	struct bt_hci_cmd_le_set_scan_enable cmd;
 	struct mesh_io_private *pvt = io->pvt;
-	struct pvt_rx_reg *rx_reg;
+	struct pvt_rx_reg *rx_reg, *rx_reg_old;
 	bool already_scanning;
 	bool active = false;
 
 	if (!cb || !filter || !len)
 		return false;
 
-	rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
-
-	l_free(rx_reg);
 	rx_reg = l_malloc(sizeof(*rx_reg) + len);
 
 	memcpy(rx_reg->filter, filter, len);
@@ -838,6 +838,10 @@  static bool recv_register(struct mesh_io *io, const uint8_t *filter,
 	rx_reg->cb = cb;
 	rx_reg->user_data = user_data;
 
+	rx_reg_old = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg);
+
+	l_free(rx_reg_old);
+
 	already_scanning = !l_queue_isempty(pvt->rx_regs);
 
 	l_queue_push_head(pvt->rx_regs, rx_reg);
@@ -863,14 +867,20 @@  static bool recv_deregister(struct mesh_io *io, const uint8_t *filter,
 {
 	struct bt_hci_cmd_le_set_scan_enable cmd = {0, 0};
 	struct mesh_io_private *pvt = io->pvt;
-	struct pvt_rx_reg *rx_reg;
+	struct pvt_rx_reg *rx_reg, *rx_reg_tmp;
 	bool active = false;
 
-	rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
+	rx_reg_tmp = l_malloc(sizeof(*rx_reg_tmp) + len);
+	memcpy(&rx_reg_tmp->filter, filter, len);
+	rx_reg_tmp->len = len;
+
+	rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg_tmp);
 
 	if (rx_reg)
 		l_free(rx_reg);
 
+	l_free(rx_reg_tmp);
+
 	/* Look for any AD types requiring Active Scanning */
 	if (l_queue_find(pvt->rx_regs, find_active, NULL))
 		active = true;
diff --git a/mesh/mesh-io-unit.c b/mesh/mesh-io-unit.c
index f4b615ac8..bf3f808e4 100644
--- a/mesh/mesh-io-unit.c
+++ b/mesh/mesh-io-unit.c
@@ -488,24 +488,24 @@  static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 
 static bool find_by_filter(const void *a, const void *b)
 {
-	const struct pvt_rx_reg *rx_reg = a;
-	const uint8_t *filter = b;
+	const struct pvt_rx_reg *rx_reg_old = a;
+	const struct pvt_rx_reg *rx_reg = b;
 
-	return !memcmp(rx_reg->filter, filter, rx_reg->len);
+	if (rx_reg_old->len != rx_reg->len)
+		return false;
+
+	return !memcmp(rx_reg_old->filter, rx_reg->filter, rx_reg->len);
 }
 
 static bool recv_register(struct mesh_io *io, const uint8_t *filter,
 			uint8_t len, mesh_io_recv_func_t cb, void *user_data)
 {
 	struct mesh_io_private *pvt = io->pvt;
-	struct pvt_rx_reg *rx_reg;
+	struct pvt_rx_reg *rx_reg, *rx_reg_old;
 
 	if (!cb || !filter || !len)
 		return false;
 
-	rx_reg = l_queue_remove_if(pvt->rx_regs, find_by_filter, filter);
-
-	l_free(rx_reg);
 	rx_reg = l_malloc(sizeof(*rx_reg) + len);
 
 	memcpy(rx_reg->filter, filter, len);
@@ -513,6 +513,10 @@  static bool recv_register(struct mesh_io *io, const uint8_t *filter,
 	rx_reg->cb = cb;
 	rx_reg->user_data = user_data;
 
+	rx_reg_old = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg);
+
+	l_free(rx_reg_old);
+
 	l_queue_push_head(pvt->rx_regs, rx_reg);
 
 	return true;