Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Opcode Response Detection to prevent Crash #480

Merged
merged 1 commit into from
May 30, 2022
Merged

Invalid Opcode Response Detection to prevent Crash #480

merged 1 commit into from
May 30, 2022

Conversation

dinesharjani
Copy link
Contributor

@dinesharjani dinesharjani commented May 27, 2022
edited by philips77
Loading

The following Stack Trace happens in nRF Connect 2.5.1:

Thread 13 name:
Thread 13 Crashed:
0   nRF-Connect                   	0x0000000100f77410 closure #1 in SecureDFUPeripheral.selectCommandObject() + 384 (SecureDFUPeripheral.swift:0)
1   nRF-Connect                   	0x0000000100f772d8 closure #1 in SecureDFUPeripheral.selectCommandObject() + 72 (SecureDFUPeripheral.swift:187)
2   nRF-Connect                   	0x0000000100f6d500 specialized SecureDFUControlPoint.peripheral(_:didUpdateValueFor:error:) + 1436 (SecureDFUControlPoint.swift:621)
3   nRF-Connect                   	0x0000000100f6bc8c @objc SecureDFUControlPoint.peripheral(_:didUpdateNotificationStateFor:error:) + 108
4   CoreBluetooth                 	0x00000001be97b64c -[CBPeripheral handleAttributeEvent:args:attributeSelector:delegateSelector:delegateFlag:] + 188 (CBPeripheral.m:804)
5   CoreBluetooth                 	0x00000001be97b7f0 -[CBPeripheral handleCharacteristicEvent:characteristicSelector:delegateSelector:delegateFlag:] + 124 (CBPeripheral.m:826)
6   CoreBluetooth                 	0x00000001be977994 -[CBPeripheral handleMsg:args:] + 600 (CBPeripheral.m:233)
7   CoreBluetooth                 	0x00000001be961af0 -[CBCentralManager handleMsg:args:] + 192 (CBCentralManager.m:1451)
8   CoreBluetooth                 	0x00000001be9a22b8 -[CBManager xpcConnectionDidReceiveMsg:args:] + 208 (CBManager.m:428)
9   CoreBluetooth                 	0x00000001be9916c0 __30-[CBXpcConnection _handleMsg:]_block_invoke + 68 (CBXpcConnection.m:370)
10  libdispatch.dylib             	0x000000019fe16e68 _dispatch_call_block_and_release + 32 (init.c:1517)
11  libdispatch.dylib             	0x000000019fe18a2c _dispatch_client_callout + 20 (object.m:560)
12  libdispatch.dylib             	0x000000019fe20124 _dispatch_lane_serial_drain + 668 (inline_internal.h:2622)
13  libdispatch.dylib             	0x000000019fe20cb4 _dispatch_lane_invoke + 444 (queue.c:3944)
14  libdispatch.dylib             	0x000000019fe20000 _dispatch_lane_serial_drain + 376 (inline_internal.h:0)
15  libdispatch.dylib             	0x000000019fe20cb4 _dispatch_lane_invoke + 444 (queue.c:3944)
16  libdispatch.dylib             	0x000000019fe20000 _dispatch_lane_serial_drain + 376 (inline_internal.h:0)
17  libdispatch.dylib             	0x000000019fe20c80 _dispatch_lane_invoke + 392 (queue.c:3944)
18  libdispatch.dylib             	0x000000019fe2b500 _dispatch_workloop_worker_thread + 648 (queue.c:6732)
19  libsystem_pthread.dylib       	0x000000021110a0bc _pthread_wqthread + 288 (pthread.c:2599)
20  libsystem_pthread.dylib       	0x0000000211109e5c start_wqthread + 8

Quick analysis shows we're force-unwrapping SecureDFUResponse's maxSize, offset and crc. The obvious fix would be to just guard those properties and, if they're not there, to report an Error. But the code-path leading to this code getting executed suggests we might be executing the callback for the wrong type of response, so we're going to sacrifice killing the bug in exchange for perhaps learning new information regarding the root cause of the issue.

@dinesharjani
Invalid Opcode Response Detection to prevent Crash
2c58491 
The following Stack Trace happens in nRF Connect 2.5.1:
Thread 13 name:
Thread 13 Crashed:
0   nRF-Connect                   	0x0000000100f77410 closure NordicSemiconductor#1 in SecureDFUPeripheral.selectCommandObject() + 384 (SecureDFUPeripheral.swift:0)
1   nRF-Connect                   	0x0000000100f772d8 closure NordicSemiconductor#1 in SecureDFUPeripheral.selectCommandObject() + 72 (SecureDFUPeripheral.swift:187)
2   nRF-Connect                   	0x0000000100f6d500 specialized SecureDFUControlPoint.peripheral(_:didUpdateValueFor:error:) + 1436 (SecureDFUControlPoint.swift:621)
3   nRF-Connect                   	0x0000000100f6bc8c @objc SecureDFUControlPoint.peripheral(_:didUpdateNotificationStateFor:error:) + 108
4   CoreBluetooth                 	0x00000001be97b64c -[CBPeripheral handleAttributeEvent:args:attributeSelector:delegateSelector:delegateFlag:] + 188 (CBPeripheral.m:804)
5   CoreBluetooth                 	0x00000001be97b7f0 -[CBPeripheral handleCharacteristicEvent:characteristicSelector:delegateSelector:delegateFlag:] + 124 (CBPeripheral.m:826)
6   CoreBluetooth                 	0x00000001be977994 -[CBPeripheral handleMsg:args:] + 600 (CBPeripheral.m:233)
7   CoreBluetooth                 	0x00000001be961af0 -[CBCentralManager handleMsg:args:] + 192 (CBCentralManager.m:1451)
8   CoreBluetooth                 	0x00000001be9a22b8 -[CBManager xpcConnectionDidReceiveMsg:args:] + 208 (CBManager.m:428)
9   CoreBluetooth                 	0x00000001be9916c0 __30-[CBXpcConnection _handleMsg:]_block_invoke + 68 (CBXpcConnection.m:370)
10  libdispatch.dylib             	0x000000019fe16e68 _dispatch_call_block_and_release + 32 (init.c:1517)
11  libdispatch.dylib             	0x000000019fe18a2c _dispatch_client_callout + 20 (object.m:560)
12  libdispatch.dylib             	0x000000019fe20124 _dispatch_lane_serial_drain + 668 (inline_internal.h:2622)
13  libdispatch.dylib             	0x000000019fe20cb4 _dispatch_lane_invoke + 444 (queue.c:3944)
14  libdispatch.dylib             	0x000000019fe20000 _dispatch_lane_serial_drain + 376 (inline_internal.h:0)
15  libdispatch.dylib             	0x000000019fe20cb4 _dispatch_lane_invoke + 444 (queue.c:3944)
16  libdispatch.dylib             	0x000000019fe20000 _dispatch_lane_serial_drain + 376 (inline_internal.h:0)
17  libdispatch.dylib             	0x000000019fe20c80 _dispatch_lane_invoke + 392 (queue.c:3944)
18  libdispatch.dylib             	0x000000019fe2b500 _dispatch_workloop_worker_thread + 648 (queue.c:6732)
19  libsystem_pthread.dylib       	0x000000021110a0bc _pthread_wqthread + 288 (pthread.c:2599)
20  libsystem_pthread.dylib       	0x0000000211109e5c start_wqthread + 8

Quick analysis shows we're force-unwrapping SecureDFUResponse's maxSize, offset and crc. The obvious fix would be to just guard those properties and if they're not there, to report an Error. But the code-path leading to this code getting executed suggests we might be executing the callback for the wrong type of response, so we're going to sacrifice killing the bug in exchange for perhaps learning new information regarding the root cause of the issue.
@dinesharjani dinesharjani self-assigned this May 27, 2022
@dinesharjani dinesharjani merged commit 1f07447 into NordicSemiconductor:master May 30, 2022
@dinesharjani dinesharjani deleted the force-unwrap-crash branch May 30, 2022 08:49
This was referenced Jun 29, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philips77 philips77 philips77 approved these changes

Assignees

@dinesharjani dinesharjani

Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dinesharjani @philips77