Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Global Buffer Overflow in AudioOutputManager.cpp #36858

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Fix Global Buffer Overflow in AudioOutputManager.cpp #36858

merged 1 commit into from
Dec 17, 2024
+5 −0

Conversation

BoB13-Matter
Copy link
Contributor

@BoB13-Matter BoB13-Matter commented Dec 16, 2024
edited
Loading

Description

This pull request fixes a global-buffer-overflow in the AudioOutputManager::HandleRenameOutput function of the AudioOutput cluster.

Similar to PR #36856 for the MediaInput cluster, this bug arises from an unchecked memcpy operation that allows oversized input to overflow a fixed-size buffer.
The mCharDataBuffer in AudioOutputManager is a statically allocated buffer with a fixed size of 32 for each entry:

char mCharDataBuffer[10][32];

However, the HandleRenameOutput function does not validate the size of the input string (name.size()) before copying it into the buffer. If the input string exceeds 32 bytes, this leads to a buffer overflow, as demonstrated in the reproduction steps.

Reproduce

  1. Run the following commands in separate terminals:

    tv-app:

    ./chip-tv-app

    chip-tool:

    ./chip-tool interactive start

  2. Execute the rename-output command in the AudioOutput cluster with a long string argument:

    audiooutput rename-output 1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 1

  3. Observe the AddressSanitizier Log
    ASAN Log.txt

Changes

The fix applies the same solution introduced in PR #36856. A size check is added before the memcpy operation to ensure the input does not exceed the buffer's capacity.

Updated HandleRenameOutput function:

bool AudioOutputManager::HandleRenameOutput(const uint8_t & index, const chip::CharSpan & name)
{
    // TODO: Insert code here
    bool audioOutputRenamed = false;

    for (OutputInfoType & output : mOutputs)
    {
        if (output.index == index)
        {
            if (sizeof(mCharDataBuffer[index]) < name.size())
            {
                return audioOutputRenamed;
            }
            
            audioOutputRenamed = true;
            memcpy(this->Data(index), name.data(), name.size());
            output.name = chip::CharSpan(this->Data(index), name.size());
        }
    }

    return audioOutputRenamed;
}

@semanticdiff-com SemanticDiff.com
Copy link

Review changes with  SemanticDiff

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 16, 2024
edited
Loading

PR #36858: Size comparison from cfdaf79 to 7783af2

Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
platform target config section cfdaf79 7783af2 change % change
bl602 lighting-app bl602+mfd+littlefs+rpc FLASH 1353340 1353340 0 0.0
RAM 104112 104112 0 0.0
bl702 lighting-app bl702+eth FLASH 651826 651826 0 0.0
RAM 25353 25353 0 0.0
bl702+wifi FLASH 829154 829154 0 0.0
RAM 14093 14093 0 0.0
bl706+mfd+rpc+littlefs FLASH 1057626 1057626 0 0.0
RAM 23933 23933 0 0.0
bl702l lighting-app bl702l+mfd+littlefs FLASH 979000 979000 0 0.0
RAM 16596 16596 0 0.0
cc13x4_26x4 lighting-app LP_EM_CC1354P10_6 FLASH 839760 839760 0 0.0
RAM 123664 123664 0 0.0
lock-ftd LP_EM_CC1354P10_6 FLASH 825308 825308 0 0.0
RAM 125552 125552 0 0.0
pump-app LP_EM_CC1354P10_6 FLASH 772096 772096 0 0.0
RAM 114020 114020 0 0.0
pump-controller-app LP_EM_CC1354P10_6 FLASH 756300 756300 0 0.0
RAM 114228 114228 0 0.0
cc32xx air-purifier CC3235SF_LAUNCHXL FLASH 539605 539605 0 0.0
RAM 205760 205760 0 0.0
lock CC3235SF_LAUNCHXL FLASH 573885 573885 0 0.0
RAM 205904 205904 0 0.0
cyw30739 light CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 681513 681513 0 0.0
RAM 78724 78724 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 701357 701357 0 0.0
RAM 81364 81364 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 701357 701357 0 0.0
RAM 81364 81364 0 0.0
CYW930739M2EVB-02 unknown 2040 2040 0 0.0
FLASH 658301 658301 0 0.0
RAM 73792 73792 0 0.0
light-switch CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 618073 618073 0 0.0
RAM 71708 71708 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 637701 637701 0 0.0
RAM 74252 74252 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 637701 637701 0 0.0
RAM 74252 74252 0 0.0
lock CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 637473 637473 0 0.0
RAM 74724 74724 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 657181 657181 0 0.0
RAM 77268 77268 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 657181 657181 0 0.0
RAM 77268 77268 0 0.0
thermostat CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 613933 613933 0 0.0
RAM 68812 68812 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 633785 633785 0 0.0
RAM 71444 71444 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 633785 633785 0 0.0
RAM 71444 71444 0 0.0
efr32 lock-app BRD4187C FLASH 932340 932340 0 0.0
RAM 160192 160192 0 0.0
BRD4338a FLASH 746256 746248 -8 -0.0
RAM 233320 233320 0 0.0
window-app BRD4187C FLASH 1024912 1024912 0 0.0
RAM 128296 128296 0 0.0
esp32 all-clusters-app c3devkit DRAM 95360 95360 0 0.0
FLASH 1543380 1543380 0 0.0
IRAM 82542 82542 0 0.0
m5stack DRAM 116312 116312 0 0.0
FLASH 1549950 1549950 0 0.0
IRAM 117039 117039 0 0.0
linux air-purifier-app debug unknown 4720 4720 0 0.0
FLASH 2715629 2715629 0 0.0
RAM 129800 129800 0 0.0
all-clusters-app debug unknown 5560 5560 0 0.0
FLASH 6009314 6009314 0 0.0
RAM 523544 523544 0 0.0
all-clusters-minimal-app debug unknown 5456 5456 0 0.0
FLASH 5345370 5345370 0 0.0
RAM 242600 242600 0 0.0
bridge-app debug unknown 5440 5440 0 0.0
FLASH 4684938 4684938 0 0.0
RAM 218416 218416 0 0.0
chip-tool debug unknown 5992 5992 0 0.0
FLASH 12849310 12849310 0 0.0
RAM 582506 582506 0 0.0
chip-tool-ipv6only arm64 unknown 21352 21352 0 0.0
FLASH 10983936 10983936 0 0.0
RAM 633424 633424 0 0.0
fabric-admin debug unknown 5816 5816 0 0.0
FLASH 11255859 11255859 0 0.0
RAM 582850 582850 0 0.0
fabric-bridge-app debug unknown 4696 4696 0 0.0
FLASH 4510514 4510514 0 0.0
RAM 205600 205600 0 0.0
fabric-sync debug unknown 4936 4936 0 0.0
FLASH 5610549 5610549 0 0.0
RAM 472584 472584 0 0.0
lighting-app debug+rpc+ui unknown 6104 6104 0 0.0
FLASH 5621633 5621633 0 0.0
RAM 228792 228792 0 0.0
lock-app debug unknown 5376 5376 0 0.0
FLASH 4734178 4734178 0 0.0
RAM 204776 204776 0 0.0
ota-provider-app debug unknown 4752 4752 0 0.0
FLASH 4359916 4359916 0 0.0
RAM 198448 198448 0 0.0
ota-requestor-app debug unknown 4688 4688 0 0.0
FLASH 4498908 4498908 0 0.0
RAM 203032 203032 0 0.0
shell debug unknown 4248 4248 0 0.0
FLASH 3032765 3032765 0 0.0
RAM 160424 160424 0 0.0
thermostat-no-ble arm64 unknown 9536 9536 0 0.0
FLASH 4104176 4104176 0 0.0
RAM 243040 243040 0 0.0
tv-app debug unknown 5704 5704 0 0.0
FLASH 5959461 5959493 32 0.0
RAM 596016 596016 0 0.0
tv-casting-app debug unknown 5288 5288 0 0.0
FLASH 11055165 11055165 0 0.0
RAM 692184 692184 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 FLASH 917880 917880 0 0.0
RAM 143292 143292 0 0.0
nrf7002dk_nrf5340_cpuapp FLASH 890360 890360 0 0.0
RAM 141487 141487 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 FLASH 851772 851772 0 0.0
RAM 142200 142200 0 0.0
nxp contact k32w0+release FLASH 585440 585440 0 0.0
RAM 71080 71080 0 0.0
mcxw71+release FLASH 600048 600048 0 0.0
RAM 63176 63176 0 0.0
light k32w0+release FLASH 612412 612412 0 0.0
RAM 70472 70472 0 0.0
k32w1+release FLASH 686592 686592 0 0.0
RAM 48808 48808 0 0.0
lock mcxw71+release FLASH 762928 762928 0 0.0
RAM 70844 70844 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 FLASH 1646812 1646812 0 0.0
RAM 212104 212104 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 FLASH 1554236 1554236 0 0.0
RAM 208904 208904 0 0.0
light cy8ckit_062s2_43012 FLASH 1469564 1469564 0 0.0
RAM 200880 200880 0 0.0
lock cy8ckit_062s2_43012 FLASH 1467292 1467292 0 0.0
RAM 225240 225240 0 0.0
qpg lighting-app qpg6105+debug FLASH 664024 664024 0 0.0
RAM 105424 105424 0 0.0
lock-app qpg6105+debug FLASH 621812 621812 0 0.0
RAM 99868 99868 0 0.0
stm32 light STM32WB5MM-DK FLASH 484728 484728 0 0.0
RAM 144880 144880 0 0.0
telink bridge-app tlsr9258a FLASH 682916 682916 0 0.0
RAM 91208 91208 0 0.0
contact-sensor-app tlsr9528a_retention FLASH 623346 623346 0 0.0
RAM 31440 31440 0 0.0
light-app-ota-compress-lzma-shell-factory-data tl3218x FLASH 772176 772176 0 0.0
RAM 49300 49300 0 0.0
light-switch-app-ota-compress-lzma-shell-factory-data tlsr9528a FLASH 710770 710770 0 0.0
RAM 73504 73504 0 0.0
lighting-app-ota-factory-data tlsr9118bdk40d FLASH 627790 627790 0 0.0
RAM 142140 142140 0 0.0
lighting-app-ota-rpc-factory-data-4mb tlsr9518adk80d FLASH 813804 813804 0 0.0
RAM 99684 99684 0 0.0
tizen all-clusters-app arm unknown 4988 4988 0 0.0
FLASH 1734440 1734440 0 0.0
RAM 90744 90744 0 0.0
chip-tool-ubsan arm unknown 10804 10804 0 0.0
FLASH 17973406 17973406 0 0.0
RAM 7842608 7842608 0 0.0

andy31415
andy31415 reviewed Dec 16, 2024
View reviewed changes
Copy link
Contributor

@andy31415 andy31415 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BoB13-Matter please add a Testing section to your PR summary:

  • how was this tested
  • since I see no unit tests changes, I assume this was manual. Please explain why automated testing is impossible (clusters are generally not built for unit tests ... but also why can't we have yaml or python tests?)

@andy31415 andy31415 mentioned this pull request Dec 17, 2024
Open
andy31415
andy31415 approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@andy31415 andy31415 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created #36875 for testing this. The PR description does describe how to reproduce the issue so assuming manual and the delta is small.

@mergify mergify bot merged commit dbb08f5 into project-chip:master Dec 17, 2024
68 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bzbarsky-apple bzbarsky-apple bzbarsky-apple approved these changes

@andy31415 andy31415 andy31415 approved these changes

Assignees
No one assigned
Labels
examples review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BoB13-Matter @andy31415 @bzbarsky-apple