Summary
In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
Details
The function ascs_cp_rsp_add is invoked by multiple operations such as ascs_config, ascs_qos, etc.
The maximum number of ASEs can be up to the value of uint8_t, and this is iterated over in a for loop:
...
req = net_buf_simple_pull_mem(buf, sizeof(*req));
LOG_DBG("num_ases %u", req->num_ases);
for (uint8_t i = 0; i < req->num_ases; i++) {
...
As the loop iterates, ascs_cp_rsp_add may be called multiple times.
Within ascs_cp_rsp_add, the function net_buf_simple_add is used to add data to rsp_buf:
ase_rsp = net_buf_simple_add(&rsp_buf, sizeof(*ase_rsp));
ase_rsp->id = id;
ase_rsp->code = code;
ase_rsp->reason = reason;
The buffer rsp_buf is defined statically using a macro with size CONFIG_BT_L2CAP_TX_MTU:
NET_BUF_SIMPLE_DEFINE_STATIC(rsp_buf, CONFIG_BT_L2CAP_TX_MTU);
Each time ascs_cp_rsp_add is called, sizeof(*ase_rsp), which is 3 bytes, is added to the buffer.
However, there is a missing check for available tailroom before adding data to the buffer.
If ascs_cp_rsp_add is called multiple times by a large num_ases, it could lead to a global buffer overflow in subsequent code:
ase_rsp = net_buf_simple_add(&rsp_buf, sizeof(*ase_rsp));
ase_rsp->id = id;
ase_rsp->code = code;
ase_rsp->reason = reason;
PoC
Set the CONFIG_BT_L2CAP_TX_MTU parameter to 253, which is the default value as defined in autoconf.h.
Set the num_ases in the req to a value greater than 85, ensuring that the resulting size exceeds the capacity of rsp_buf, since 85×3>253.
Impact
An out-of-bounds write in a global variable can result in system instability, potentially leading to crashes or denial of service (DoS) attacks.
Patches
main: #74976
v3.6: #77958
For more information
If you have any questions or comments about this advisory:
embargo: 2024-09-22
ekleezg Reporter
Summary
In
ascs_cp_rsp_addin/subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.Details
The function
ascs_cp_rsp_addis invoked by multiple operations such asascs_config,ascs_qos, etc.The maximum number of ASEs can be up to the value of
uint8_t, and this is iterated over in a for loop:As the loop iterates,
ascs_cp_rsp_addmay be called multiple times.Within
ascs_cp_rsp_add, the functionnet_buf_simple_addis used to add data torsp_buf:The buffer
rsp_bufis defined statically using a macro with sizeCONFIG_BT_L2CAP_TX_MTU:Each time
ascs_cp_rsp_addis called,sizeof(*ase_rsp), which is 3 bytes, is added to the buffer.However, there is a missing check for available tailroom before adding data to the buffer.
If
ascs_cp_rsp_addis called multiple times by a largenum_ases, it could lead to a global buffer overflow in subsequent code:PoC
Set the
CONFIG_BT_L2CAP_TX_MTUparameter to 253, which is the default value as defined in autoconf.h.Set the
num_asesin thereqto a value greater than 85, ensuring that the resulting size exceeds the capacity ofrsp_buf, since 85×3>253.Impact
An out-of-bounds write in a global variable can result in system instability, potentially leading to crashes or denial of service (DoS) attacks.
Patches
main: #74976
v3.6: #77958
For more information
If you have any questions or comments about this advisory:
embargo: 2024-09-22