For messages that may be composed of multiple fragments, the
_mbim_message_validate_type_header() method would validate wether the
fragment header can be read or not, because not all fragments contain
the additional type-specific header contents.

But once the message is complete with all fragments, the message
validation must also ensure that the type-specific header contets are
readable before attempting to read them, or we will end up with
invalid memory reads.

Detected via ASAN+Fuzzing:
  ==5169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000bc9ac at pc 0x55a9fc0d536d bp 0x7ffc556bb7b0 sp 0x7ffc556bb7a8
  READ of size 4 at 0x6030000bc9ac thread T0
      #0 0x55a9fc0d536c in _mbim_message_validate_complete_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:239:28
      #1 0x55a9fc0baf40 in _mbim_message_validate_fragment libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:279:12
      #2 0x55a9fc0ba7a1 in mbim_message_validate libmbim-9999-build/../libmbim-9999/src/libmbim-glib/mbim-message.c:292:12
      #3 0x55a9fc0b9af1 in LLVMFuzzerTestOneInput libmbim-9999-build/../libmbim-9999/src/libmbim-glib/test/test-message-fuzzer.c:25:5

(cherry picked from commit 37825b4e)

The task completion involves creating a duplicate of the MbimMessage,
so a duplicate of the contents of the internal `self->priv->response`
buffer.

This internal buffer may be cleared e.g. with a forced-close, which
users of the MbimDevice may decide to do upon a SIGNAL_ERROR, as the
mbim-proxy does.

So, avoid this race by making sure the task completion and the message
duplication happens before the SIGNAL_ERROR is emitted.

   Thread 0(id: 3296) CRASHED [ SIGSEGV /0x00000000@0x0000000000000004 ]
   0x00007ce3552f7c32 (libmbim-glib.so.4 - mbim-message.c: 1293) mbim_message_dup
   0x00007ce3552fbfd9 (libmbim-glib.so.4 - mbim-device.c: 661) data_available
   0x00007ce35525639a (libglib-2.0.so.0 - gmain.c: 3325) g_main_context_dispatch
   0x00007ce3552566a7 (libglib-2.0.so.0 - gmain.c: 4119) g_main_context_iterate
   0x00007ce355256923 (libglib-2.0.so.0 - gmain.c: 4317) g_main_loop_run
   0x00005ae0f48a5524 (mbim-proxy - mbim-proxy.c: 267) main
   0x00007ce35501ce04 (libc.so.6) __libc_start_main
   0x00005ae0f48a52d9 (mbim-proxy) _start
   0x00007ffcca5b6897

Fixes ModemManager#422

Fixes #33

There is no compat action given with the old name, because the old
name already exists in the basic connect service. These Quectel
specific methods should have always been prefixed with --quectel.

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test uicc terminal capability
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test uicc reset
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test uicc apdu
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test uicc atr
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

Fixes #31
AtrData should be byte array as per the MBIM spec
but the data type is used as string in json.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test close channel
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test open channel
using mbimcli option.

Co-author: Bestha, Lakshminarayana

The methods are protected with g_return_() checks.

These checks may be disabled on specific builds, so it is still
expected that the user has called mbim_message_validate() before using
the methods.

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test service activation
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test emergency mode state
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test network idle hint
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test signal-state
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Somashekhar authored 2 years ago and Aleksander Morgado committed 2 years ago

This commit provides option to test provisioned context
using mbimcli option.

Co-author: Bestha, Lakshminarayana

Found during code review, no valgrind backtrace available.

==84574== Invalid free() / delete / delete[] / realloc()
  ==84574==    at 0x484426F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==84574==    by 0x4CEAB75: g_error_free (gerror.c:853)
  ==84574==    by 0x49E5903: glib_autoptr_clear_GError (glib-autocleanups.h:52)
  ==84574==    by 0x49E5903: glib_autoptr_cleanup_GError (glib-autocleanups.h:52)
  ==84574==    by 0x49E5903: device_services_message_ready (mbim-device.c:1730)
  ==84574==    by 0x4B24503: g_task_return_now (gtask.c:1230)
  ==84574==    by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
  ==84574==    by 0x4B281BC: g_task_return (gtask.c:1256)
  ==84574==    by 0x49E23B2: transaction_task_complete_and_free (mbim-device.c:253)
  ==84574==    by 0x49E2977: transaction_timed_out (mbim-device.c:335)
  ==84574==    by 0x4CFF336: g_timeout_dispatch (gmain.c:4971)
  ==84574==    by 0x4CFEB2A: UnknownInlinedFun (gmain.c:3417)
  ==84574==    by 0x4CFEB2A: g_main_context_dispatch (gmain.c:4135)
  ==84574==    by 0x4D54E78: g_main_context_iterate.constprop.0 (gmain.c:4211)
  ==84574==    by 0x4CFE08E: g_main_loop_run (gmain.c:4411)
  ==84574==    by 0x1422A6: main (in /usr/bin/ModemManager)
  ==84574==  Address 0x8b0d810 is 0 bytes inside a block of size 22 free'd
  ==84574==    at 0x484426F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==84574==    by 0x4CEAB75: g_error_free (gerror.c:853)
  ==84574==    by 0x4CEAD3A: g_clear_error (gerror.c:1052)
  ==84574==    by 0x1D8526: mbim_port_open_ready (in /usr/bin/ModemManager)
  ==84574==    by 0x4B24503: g_task_return_now (gtask.c:1230)
  ==84574==    by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
  ==84574==    by 0x4B281BC: g_task_return (gtask.c:1256)
  ==84574==    by 0x217BB6: mbim_device_open_ready (in /usr/bin/ModemManager)
  ==84574==    by 0x4B24503: g_task_return_now (gtask.c:1230)
  ==84574==    by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
  ==84574==    by 0x4B281BC: g_task_return (gtask.c:1256)
  ==84574==    by 0x49E58DD: device_services_message_ready (mbim-device.c:1748)
  ==84574==    by 0x4B24503: g_task_return_now (gtask.c:1230)
  ==84574==    by 0x4B281BC: UnknownInlinedFun (gtask.c:1299)
  ==84574==    by 0x4B281BC: g_task_return (gtask.c:1256)
  ==84574==  Block was alloc'd at
  ==84574==    at 0x4841888: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==84574==    by 0x4D079D9: g_malloc (gmem.c:125)
  ==84574==    by 0x4D1CB44: g_strdup (gstrfuncs.c:361)
  ==84574==    by 0x4CEA832: g_error_copy (gerror.c:892)
  ==84574==    by 0x49E23A7: transaction_task_complete_and_free (mbim-device.c:253)
  ==84574==    by 0x49E2977: transaction_timed_out (mbim-device.c:335)
  ==84574==    by 0x4CFF336: g_timeout_dispatch (gmain.c:4971)
  ==84574==    by 0x4CFEB2A: UnknownInlinedFun (gmain.c:3417)
  ==84574==    by 0x4CFEB2A: g_main_context_dispatch (gmain.c:4135)
  ==84574==    by 0x4D54E78: g_main_context_iterate.constprop.0 (gmain.c:4211)
  ==84574==    by 0x4CFE08E: g_main_loop_run (gmain.c:4411)
  ==84574==    by 0x1422A6: main (in /usr/bin/ModemManager)

  $ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-read-record="application-id=A0000000871002FF34FF0789312E30FF,file-path=3F002FE2"
  [/dev/wwan0mbim0] UICC file record read:
  	Status word 1: 144
  	Status word 2: 0
  	         Data: 98:43:70:77:00:10:85:84:36:F8

  $ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-read-binary="application-id=A0000000871002FF34FF0789312E30FF,file-path=7FFF6F3E"
  [/dev/wwan0mbim0] UICC file binary read:
  	Status word 1: 144
  	Status word 2: 0
  	         Data: 01

  $ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-file-status="application-id=A0000000871002FF34FF0789312E30FF,file-path=7FFF6F3E"
  [/dev/wwan0mbim0] UICC file status retrieved:
  	    Status word 1: 144
  	    Status word 2: 0
  	    Accessibility: unknown
  	             Type: unknown
  	        Structure: transparent
  	       Item count: 1
  	        Item size: 1
  	Access conditions:
  	                 Read: pin1
  	               Update: adm
  	             Activate: adm
  	           Deactivate: adm

  $ sudo mbimcli -p -d /dev/wwan0mbim0 --ms-query-uicc-file-status="application-id=A0000000871002FF34FF0789312E30FF,file-path=3F002FE2"
  [/dev/wwan0mbim0] UICC file status retrieved:
  	    Status word 1: 144
  	    Status word 2: 0
  	    Accessibility: unknown
  	             Type: unknown
  	        Structure: transparent
  	       Item count: 1
  	        Item size: 10
  	Access conditions:
  	                 Read: unknown
  	               Update: unknown
  	             Activate: adm
  	           Deactivate: adm