Guru Meditation Error and rebooting when using ESP32 bluetooth

u_ding
Posts: 6
Joined: Tue Apr 16, 2024 6:11 am

Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby u_ding » Sun Apr 21, 2024 12:36 pm

ESP-IDF5.1 version, when modifying the avdt layer message and sending it out, triggers Guru Meditation Error and rebooting. According to Backtrace, there should be a problem with the hci layer.

Example used: a2dp_source
Modified code, esp-idf/components/bt/host/bluedroid/stack/avdt/avdt_ad.c
  1. UINT8 avdt_ad_write_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, BT_HDR *p_buf)
  2. {
  3.     UINT8   tcid;
  4.  
  5.     /* get tcid from type, scb */
  6.     tcid = avdt_ad_type_to_tcid(type, p_scb);
  7.  
  8.     srand(time(NULL));
  9.     // p_buf[0].event = (uint16_t)rand();
  10.  
  11.     if(type == AVDT_CHAN_MEDIA){
  12.         p_buf->event = (uint16_t)rand();
  13.         p_buf->len = (uint16_t)rand() % 255;
  14.         p_buf->offset = (uint16_t)rand();
  15.         p_buf->layer_specific = (uint16_t)rand();
  16.         for(int i = 0; i < p_buf->len; ++i) p_buf->data[i] = (uint16_t)rand();
  17.     }
  18.    
  19.     static int dk_cnt = 0;
  20.     if(++dk_cnt % 1000 == 0){
  21.         dk_cnt = 0, printf("\n\n avdt_ad_write_req \n");    
  22.         printf("%" PRIu16 " ", p_buf->event);
  23.         printf("%" PRIu16 " ", p_buf->len);
  24.         printf("%" PRIu16 " ", p_buf->offset);
  25.         printf("%" PRIu16 " \n", p_buf->layer_specific);
  26.         for(int i = 0; i < p_buf->len; ++i) printf("%" PRIu16 " ", p_buf->data[i]);
  27.         printf("\n\n");
  28.     }
  29.  
  30.     return L2CA_DataWrite(avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][tcid].lcid, p_buf);
  31. }
  1. Guru Meditation Error: Core  0 panic'ed (StoreProhibited). Exception was unhandled.
  2.  
  3. Core  0 register dump:
  4. PC      : 0x40093232  PS      : 0x00060333  A0      : 0x80092e87  A1      : 0x3ffd0350  
  5. 0x40093232: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:332
  6. (inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380
  7. (inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486
  8. (inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123
  9.  
  10. A2      : 0x3ffcc144  A3      : 0x3ffd7838  A4      : 0x3ffd7830  A5      : 0x3ffc0042  
  11. A6      : 0x00000028  A7      : 0x00000058  A8      : 0x00000018  A9      : 0x3ffd8844  
  12. A10     : 0x3ffd8844  A11     : 0x00000000  A12     : 0x0099009d  A13     : 0x00000004  
  13. A14     : 0xb33fffff  A15     : 0xb33fffff  SAR     : 0x0000001c  EXCCAUSE: 0x0000001d  
  14. EXCVADDR: 0x009900a9  LBEG    : 0x4000c2e0  LEND    : 0x4000c2f6  LCOUNT  : 0xffffffff  
  15. 0x4000c2e0: memcpy in ROM
  16. 0x4000c2f6: memcpy in ROM
  17.  
  18.  
  19.  
  20. Backtrace: 0x4009322f:0x3ffd0350 0x40092e84:0x3ffd0370 0x40082362:0x3ffd0390 0x4009406d:0x3ffd03b0 0x400de242:0x3ffd03d0 0x400df122:0x3ffd03f0 0x400de459:0x3ffd0410 0x4010c2fa:0x3ffd0430 0x400de4b5:0x3ffd0450 0x4010d2ce:0x3ffd0470 0x4010d19a:0x3ffd0490 0x40090ad5:0x3ffd04c0
  21. 0x4009322f: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:331
  22. (inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380
  23. (inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486
  24. (inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123
  25. 0x40092e84: multi_heap_free_impl at /root/esp/esp-idf/components/heap/multi_heap.c:231
  26. 0x40082362: heap_caps_free at /root/esp/esp-idf/components/heap/heap_caps.c:388
  27. 0x4009406d: free at /root/esp/esp-idf/components/newlib/heap.c:39
  28. 0x400de242: transmit_fragment at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:350
  29. 0x400df122: fragment_and_dispatch at /root/esp/esp-idf/components/bt/host/bluedroid/hci/packet_fragmenter.c:132
  30. 0x400de459: event_packet_ready at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:338
  31. 0x4010c2fa: fixed_queue_process at /root/esp/esp-idf/components/bt/common/osi/fixed_queue.c:254
  32. 0x400de4b5: hci_downstream_data_handler at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:238
  33. 0x4010d2ce: osi_thread_generic_event_handler at /root/esp/esp-idf/components/bt/common/osi/thread.c:425
  34. 0x4010d19a: osi_thread_run at /root/esp/esp-idf/components/bt/common/osi/thread.c:165 (discriminator 1)
  35. 0x40090ad5: vPortTaskWrapper at /root/esp/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:162
  36.  
  37.  
  38.  
  39.  
  40.  
  41. ELF file SHA256: fb53a7e2e55ccb03
  42.  
  43. Rebooting...
  44. ets Jul 29 2019 12:21:46

ESP_Sprite
Posts: 9766
Joined: Thu Nov 26, 2015 4:08 am

Re: Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby ESP_Sprite » Mon Apr 22, 2024 6:39 am

Looks like memory corruption, and unfortunately that's not trivial to backtrace. I'd suggest taking a long hard look at your code, see if you're overflowing a buffer somewhere.

u_ding
Posts: 6
Joined: Tue Apr 16, 2024 6:11 am

Re: Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby u_ding » Wed May 08, 2024 11:29 pm

CVE-2024-33454 is assigned to this problem.

Who is online

Users browsing this forum: No registered users and 34 guests