Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential buffer out-of-bound read in gatt-database.c:cli_feat_read_cb #70

Closed
zxtwonder opened this issue Jan 4, 2021 · 7 comments
Closed

Potential buffer out-of-bound read in gatt-database.c:cli_feat_read_cb #70

zxtwonder opened this issue Jan 4, 2021 · 7 comments

Comments

@zxtwonder
Copy link

zxtwonder commented Jan 4, 2021
edited

bluez/src/gatt-database.c

Lines 1078 to 1079 in 35a2c50

len = sizeof(state->cli_feat) - offset;
value = len ? &state->cli_feat[offset] : NULL; 

static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
					unsigned int id, uint16_t offset,
					uint8_t opcode, struct bt_att *att,
					void *user_data)
{
...
	size_t len = 0;
...
	len = sizeof(state->cli_feat) - offset;
	value = len ? &state->cli_feat[offset] : NULL;

Both len and sizeof() are unsigned and offset is an external input without validation. It seems like a malicious GATT client can cause out-of-bound read on memory locations after the given device_state::cli_feat pointer.

Similar validation like below should be sufficient:

bluez/src/gatt-database.c

Line 691 in 35a2c50

if (offset > 2) {

github-actions bot pushed a commit to BluezTestBot/bluez that referenced this issue Jan 4, 2021
@Vudentz @BluezTestBot
gatt: Fix potential buffer out-of-bound
9e6889d 
When client features is read check if the offset is within the cli_feat
bounds.

Fixes: bluez#70
@BluezTestBot BluezTestBot mentioned this issue Jan 4, 2021
Closed
github-actions bot pushed a commit to tedd-an/bluez that referenced this issue Jan 4, 2021
@Vudentz @tedd-an
gatt: Fix potential buffer out-of-bound
61ed28e 
When client features is read check if the offset is within the cli_feat
bounds.

Fixes: bluez#70
@tedd-an tedd-an mentioned this issue Jan 4, 2021
Closed
@zxtwonder
Copy link
Author

@Vudentz Thanks for the super quick update. One question on the change though - I only have a practical understanding on the BT spec, but should we only return BT_ATT_ERROR_INVALID_OFFSET when offset is strictly larger than sizeof(state->cli_feat) - to give the server a chance to indicate the end of the data?

	if (offset >= sizeof(state->cli_feat)) {
		ecode = BT_ATT_ERROR_INVALID_OFFSET;
		goto done;
	}

@Vudentz
Copy link
Contributor

Vudentz commented Jan 4, 2021

@Vudentz Thanks for the super quick update. One question on the change though - I only have a practical understanding on the BT spec, but should we only return BT_ATT_ERROR_INVALID_OFFSET when offset is strictly larger than sizeof(state->cli_feat) - to give the server a chance to indicate the end of the data?

	if (offset >= sizeof(state->cli_feat)) {
		ecode = BT_ATT_ERROR_INVALID_OFFSET;
		goto done;
	}

If the offset is == sizeof(state->cli_feat) it would be already past the end as the offset start at index 0 so valid offsets are in a range of 0 to size of attribute - 1.

@zxtwonder
Copy link
Author

Based on the previous code, I was under the impression that the client needs a return of 0 length to be sure the read is complete.

	len = sizeof(state->cli_feat) - offset;
	value = len ? &state->cli_feat[offset] : NULL;

But after a further look, it seems that gatt-database does not handle offset consistently.

Sometimes, it allows for empty read:

static void gap_appearance_read_cb(struct gatt_db_attribute *attrib,
...
	uint8_t appearance[2];
...
	if (offset > 2) {

But other times not:

static void gatt_ccc_read_cb(struct gatt_db_attribute *attrib,
...
	const uint8_t *value = NULL;
...
	if (offset) {

I guess it is all corner case now since these are all short values. I will have to read the spec to see what the client should expect then.

@setharnold
Copy link

Hello, please use CVE-2021-3588 for this issue. Thanks.

@jefferyto
Copy link

This issue appears to have been closed by a test commit and was never actually fixed.

@Vudentz
Copy link
Contributor

Vudentz commented May 17, 2022

@jefferyto it has been pushed: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a

@jefferyto
Copy link

Apologies for the noise (the fix was also replaced in 6a50b6a).

@Haotian-Shi-cyber Haotian-Shi-cyber mentioned this issue Jun 1, 2022
Closed
@marvix97 marvix97 mentioned this issue Jul 3, 2023
Open
@sanchipsync sanchipsync mentioned this issue Jan 22, 2024
Closed
@jason77-wang jason77-wang mentioned this issue Mar 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@jefferyto @Vudentz @setharnold @zxtwonder