Commit 1754c587 authored by Angus Gratton's avatar Angus Gratton Committed by Damien George

esp32: Fix heap corruption triggered by bluetooth.active(0).

It seems like at some point Espressif NimBLE team changed
nimble_port_init and nimble_port_deinit to manage HCI init
internally:
https://github.com/espressif/esp-nimble/commit/f8a79b04c9743543b8959727d7

This change is included in all the IDF versions that MicroPython supports.

As a result, existing code that called esp_nimble_hci_deinit() explicitly
would trigger a use-after-free bug and heap corruption (specifically this
calls through to ble_transport_deinit() which calls os_mempool_free(). The
second time this writes out to a bunch of memory pools where the backing
buffers have already been freed.)

Symptoms were intermittent random crashes after de-activating Bluetooth
(running multi_bluetooth/ble_gatt_data_transfer.py could sometimes
reproduce). Setting Heap Poisoning to Comprehensive in menuconfig caused
the bug to be detected every time.

This work was funded through GitHub Sponsors.
Signed-off-by: default avatarAngus Gratton <angus@redyak.com.au>
parent 6f27e1c9
...@@ -32,7 +32,6 @@ ...@@ -32,7 +32,6 @@
#define DEBUG_printf(...) // printf("nimble (esp32): " __VA_ARGS__) #define DEBUG_printf(...) // printf("nimble (esp32): " __VA_ARGS__)
#include "esp_nimble_hci.h"
#include "nimble/nimble_port.h" #include "nimble/nimble_port.h"
#include "nimble/nimble_port_freertos.h" #include "nimble/nimble_port_freertos.h"
...@@ -45,14 +44,13 @@ static void ble_host_task(void *param) { ...@@ -45,14 +44,13 @@ static void ble_host_task(void *param) {
} }
void mp_bluetooth_nimble_port_hci_init(void) { void mp_bluetooth_nimble_port_hci_init(void) {
DEBUG_printf("mp_bluetooth_nimble_port_hci_init\n"); // On ESP-IDF the standard nimble_port_init() function calls
esp_nimble_hci_init(); // esp_nimble_init() which initialises the HCI
} }
void mp_bluetooth_nimble_port_hci_deinit(void) { void mp_bluetooth_nimble_port_hci_deinit(void) {
DEBUG_printf("mp_bluetooth_nimble_port_hci_deinit\n"); // As above, this is handled by ESP-IDF nimble_port_deinit()
// (called below)
esp_nimble_hci_deinit();
} }
void mp_bluetooth_nimble_port_start(void) { void mp_bluetooth_nimble_port_start(void) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment