Guru Meditation Error and rebooting when using ESP32 bluetooth

Post Reply
u_ding
Posts: 6
Joined: Tue Apr 16, 2024 6:11 am

Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby u_ding » Sun Apr 21, 2024 12:36 pm

ESP-IDF5.1 version, when modifying the avdt layer message and sending it out, triggers Guru Meditation Error and rebooting. According to Backtrace, there should be a problem with the hci layer.

Example used: a2dp_source
Modified code, esp-idf/components/bt/host/bluedroid/stack/avdt/avdt_ad.c

Code: Untitled.c Select all

UINT8 avdt_ad_write_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, BT_HDR *p_buf)

{

    UINT8   tcid;

 

    /* get tcid from type, scb */

    tcid = avdt_ad_type_to_tcid(type, p_scb);

 

    srand(time(NULL));

    // p_buf[0].event = (uint16_t)rand();

 

    if(type == AVDT_CHAN_MEDIA){

        p_buf->event = (uint16_t)rand();

        p_buf->len = (uint16_t)rand() % 255;

        p_buf->offset = (uint16_t)rand();

        p_buf->layer_specific = (uint16_t)rand();

        for(int i = 0; i < p_buf->len; ++i) p_buf->data[i] = (uint16_t)rand();

    }

   

    static int dk_cnt = 0;

    if(++dk_cnt % 1000 == 0){

        dk_cnt = 0, printf("\n\n avdt_ad_write_req \n");    

        printf("%" PRIu16 " ", p_buf->event);

        printf("%" PRIu16 " ", p_buf->len);

        printf("%" PRIu16 " ", p_buf->offset);

        printf("%" PRIu16 " \n", p_buf->layer_specific);

        for(int i = 0; i < p_buf->len; ++i) printf("%" PRIu16 " ", p_buf->data[i]);

        printf("\n\n");

    }

 

    return L2CA_DataWrite(avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][tcid].lcid, p_buf);

}

Code: Untitled.c Select all

Guru Meditation Error: Core  0 panic'ed (StoreProhibited). Exception was unhandled.

 

Core  0 register dump:

PC      : 0x40093232  PS      : 0x00060333  A0      : 0x80092e87  A1      : 0x3ffd0350  

0x40093232: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:332

(inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380

(inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486

(inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123

 

A2      : 0x3ffcc144  A3      : 0x3ffd7838  A4      : 0x3ffd7830  A5      : 0x3ffc0042  

A6      : 0x00000028  A7      : 0x00000058  A8      : 0x00000018  A9      : 0x3ffd8844  

A10     : 0x3ffd8844  A11     : 0x00000000  A12     : 0x0099009d  A13     : 0x00000004  

A14     : 0xb33fffff  A15     : 0xb33fffff  SAR     : 0x0000001c  EXCCAUSE: 0x0000001d  

EXCVADDR: 0x009900a9  LBEG    : 0x4000c2e0  LEND    : 0x4000c2f6  LCOUNT  : 0xffffffff  

0x4000c2e0: memcpy in ROM

0x4000c2f6: memcpy in ROM

 

 

 

Backtrace: 0x4009322f:0x3ffd0350 0x40092e84:0x3ffd0370 0x40082362:0x3ffd0390 0x4009406d:0x3ffd03b0 0x400de242:0x3ffd03d0 0x400df122:0x3ffd03f0 0x400de459:0x3ffd0410 0x4010c2fa:0x3ffd0430 0x400de4b5:0x3ffd0450 0x4010d2ce:0x3ffd0470 0x4010d19a:0x3ffd0490 0x40090ad5:0x3ffd04c0

0x4009322f: remove_free_block at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:331

(inlined by) block_remove at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:380

(inlined by) block_merge_next at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:486

(inlined by) tlsf_free at /root/esp/esp-idf/components/heap/tlsf/tlsf.c:1123

0x40092e84: multi_heap_free_impl at /root/esp/esp-idf/components/heap/multi_heap.c:231

0x40082362: heap_caps_free at /root/esp/esp-idf/components/heap/heap_caps.c:388

0x4009406d: free at /root/esp/esp-idf/components/newlib/heap.c:39

0x400de242: transmit_fragment at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:350

0x400df122: fragment_and_dispatch at /root/esp/esp-idf/components/bt/host/bluedroid/hci/packet_fragmenter.c:132

0x400de459: event_packet_ready at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:338

0x4010c2fa: fixed_queue_process at /root/esp/esp-idf/components/bt/common/osi/fixed_queue.c:254

0x400de4b5: hci_downstream_data_handler at /root/esp/esp-idf/components/bt/host/bluedroid/hci/hci_layer.c:238

0x4010d2ce: osi_thread_generic_event_handler at /root/esp/esp-idf/components/bt/common/osi/thread.c:425

0x4010d19a: osi_thread_run at /root/esp/esp-idf/components/bt/common/osi/thread.c:165 (discriminator 1)

0x40090ad5: vPortTaskWrapper at /root/esp/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:162

 

 

 

 

 

ELF file SHA256: fb53a7e2e55ccb03

 

Rebooting...

ets Jul 29 2019 12:21:46
Top
Sprite
Espressif staff
Espressif staff
Posts: 10593
Joined: Thu Nov 26, 2015 4:08 am

Re: Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby Sprite » Mon Apr 22, 2024 6:39 am

Looks like memory corruption, and unfortunately that's not trivial to backtrace. I'd suggest taking a long hard look at your code, see if you're overflowing a buffer somewhere.
Top
u_ding
Posts: 6
Joined: Tue Apr 16, 2024 6:11 am

Re: Guru Meditation Error and rebooting when using ESP32 bluetooth

Postby u_ding » Wed May 08, 2024 11:29 pm

CVE-2024-33454 is assigned to this problem.
Top
Post Reply

Return to “Report Bugs”

Who is online

Users browsing this forum: No registered users and 2 guests