diff options
author | Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-03-31 21:13:33 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-09 08:27:11 +0100 |
commit | 64205bf3ec07a6b6249dae1f5b9ad9e190b3101e (patch) | |
tree | 61c01ffd491e13445e734c171aeb1ccdb6b5dc53 | |
parent | 048094bcf91ba71f875fff7a8c725f998d2e3f28 (diff) | |
download | poky-64205bf3ec07a6b6249dae1f5b9ad9e190b3101e.tar.gz |
bluez5: fix CVE-2022-0204
Fix heap overflow when appending prepare writes
The code shall check if the prepare writes would append more the
allowed maximum attribute length.
Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
CVE: CVE-2022-0204
(From OE-Core rev: 058dec11cc6580212c6d4560d0f0e5b704d501dc)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5.inc | 1 | ||||
-rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch | 66 |
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 7cf061dcf6..4d4348898a 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
@@ -55,6 +55,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
55 | file://CVE-2021-0129.patch \ | 55 | file://CVE-2021-0129.patch \ |
56 | file://CVE-2021-3588.patch \ | 56 | file://CVE-2021-3588.patch \ |
57 | file://CVE-2021-3658.patch \ | 57 | file://CVE-2021-3658.patch \ |
58 | file://CVE-2022-0204.patch \ | ||
58 | " | 59 | " |
59 | S = "${WORKDIR}/bluez-${PV}" | 60 | S = "${WORKDIR}/bluez-${PV}" |
60 | 61 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 8 Jun 2021 16:46:49 -0700 | ||
4 | Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare | ||
5 | writes | ||
6 | |||
7 | The code shall check if the prepare writes would append more the | ||
8 | allowed maximum attribute length. | ||
9 | |||
10 | Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0] | ||
13 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
14 | CVE: CVE-2022-0204 | ||
15 | |||
16 | --- | ||
17 | src/shared/gatt-server.c | 22 ++++++++++++++++++++++ | ||
18 | 1 file changed, 22 insertions(+) | ||
19 | |||
20 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
21 | index 0c25a97..20e14bc 100644 | ||
22 | --- a/src/shared/gatt-server.c | ||
23 | +++ b/src/shared/gatt-server.c | ||
24 | @@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, | ||
25 | server->authorize_data); | ||
26 | } | ||
27 | |||
28 | +static uint8_t check_length(uint16_t length, uint16_t offset) | ||
29 | +{ | ||
30 | + if (length > BT_ATT_MAX_VALUE_LEN) | ||
31 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
32 | + | ||
33 | + if (offset > BT_ATT_MAX_VALUE_LEN) | ||
34 | + return BT_ATT_ERROR_INVALID_OFFSET; | ||
35 | + | ||
36 | + if (length + offset > BT_ATT_MAX_VALUE_LEN) | ||
37 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
38 | + | ||
39 | + return 0; | ||
40 | +} | ||
41 | + | ||
42 | static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
43 | uint16_t length, void *user_data) | ||
44 | { | ||
45 | @@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
46 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
47 | handle); | ||
48 | |||
49 | + ecode = check_length(length, 0); | ||
50 | + if (ecode) | ||
51 | + goto error; | ||
52 | + | ||
53 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
54 | if (ecode) | ||
55 | goto error; | ||
56 | @@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
57 | util_debug(server->debug_callback, server->debug_data, | ||
58 | "Prep Write Req - handle: 0x%04x", handle); | ||
59 | |||
60 | + ecode = check_length(length, offset); | ||
61 | + if (ecode) | ||
62 | + goto error; | ||
63 | + | ||
64 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
65 | if (ecode) | ||
66 | goto error; | ||