bluez5: fix CVE-2020-27153

(From OE-Core rev: 4b0688bb8abb2fb8a620541207d40e90e4bf16f9) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2020-11-02 08:44:30 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-11-03 08:29:09 +0000
commit: 27a6fcbd314e7c2fc6be4266ae8a256b5714ef36 (patch)
tree: 700874dd2f2dae922f50cec81636d54034f8e409
parent: fb6eff16afd9b78706dd8a0973b83e152dceef8b (diff)
download: poky-27a6fcbd314e7c2fc6be4266ae8a256b5714ef36.tar.gz
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch
new file mode 100644
index 0000000000..7b06dd2071
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch
@@ -0,0 +1,146 @@
+From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 15 Jul 2020 18:25:37 -0700
+Subject: [PATCH] shared/att: Fix possible crash on disconnect
+If there are pending request while disconnecting they would be notified
+but clients may endup being freed in the proccess which will then be
+calling bt_att_cancel to cancal its requests causing the following
+trace:
+Invalid read of size 4
+   at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
+   by 0x1D247B: disc_att_send_op (att.c:417)
+   by 0x1CCC17: queue_remove_all (queue.c:354)
+   by 0x1D47B7: disconnect_cb (att.c:635)
+   by 0x1E0707: watch_callback (io-glib.c:170)
+   by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
+   by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
+   by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
+   by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
+   by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
+   by 0x12BC3B: main (main.c:770)
+ Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
+   at 0x484A2E0: free (vg_replace_malloc.c:540)
+   by 0x1CCC17: queue_remove_all (queue.c:354)
+   by 0x1CCC83: queue_destroy (queue.c:73)
+   by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
+   by 0x16497B: batt_free (battery.c:77)
+   by 0x16497B: batt_remove (battery.c:286)
+   by 0x1A0013: service_remove (service.c:176)
+   by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
+   by 0x1A9B7B: gatt_service_removed (device.c:3805)
+   by 0x1CC90B: queue_foreach (queue.c:220)
+   by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
+   by 0x1DE387: notify_service_changed (gatt-db.c:361)
+   by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
+   by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
+   by 0x1D674F: discovery_op_complete (gatt-client.c:388)
+   by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
+   by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
+   by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
+   by 0x1D247B: disc_att_send_op (att.c:417)
+   by 0x1CCC17: queue_remove_all (queue.c:354)
+   by 0x1D47B7: disconnect_cb (att.c:635)
+Upstream-Status: Backport
+[https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a]
+CVE: CVE-2020-27153
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 40 insertions(+), 6 deletions(-)
+diff --git a/src/shared/att.c b/src/shared/att.c
+index ed3af2920..58f23dfcb 100644
+--- a/src/shared/att.c
+++ b/src/shared/att.c
+@@ -84,6 +84,7 @@ struct bt_att {
+        struct queue *req_queue;        /* Queued ATT protocol requests */
+        struct queue *ind_queue;        /* Queued ATT protocol indications */
+        struct queue *write_queue;      /* Queue of PDUs ready to send */
+       bool in_disc;                   /* Cleanup queues on disconnect_cb */
+ 
+        bt_att_timeout_func_t timeout_callback;
+        bt_att_destroy_func_t timeout_destroy;
+@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data)
+        free(op);
+ }
+ 
+-static void cancel_att_send_op(struct att_send_op *op)
+static void cancel_att_send_op(void *data)
+ {
+       struct att_send_op *op = data;
+
+        if (op->destroy)
+                op->destroy(op->user_data);
+ 
+@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
+        /* Dettach channel */
+        queue_remove(att->chans, chan);
+ 
+-       /* Notify request callbacks */
+-       queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+-       queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+-       queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+-
+        if (chan->pending_req) {
+                disc_att_send_op(chan->pending_req);
+                chan->pending_req = NULL;
+@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ 
+        bt_att_ref(att);
+ 
+       att->in_disc = true;
+
+       /* Notify request callbacks */
+       queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+       queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+       queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+
+       att->in_disc = false;
+
+        queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
+ 
+        bt_att_unregister_all(att);
+@@ -1574,6 +1581,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id)
+        return true;
+ }
+ 
+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
+{
+       struct att_send_op *op;
+
+       op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
+       if (op)
+               goto done;
+
+       op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
+       if (op)
+               goto done;
+
+       op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
+
+done:
+       if (!op)
+               return false;
+
+       /* Just cancel since disconnect_cb will be cleaning up */
+       cancel_att_send_op(op);
+
+       return true;
+}
+
+ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ {
+        const struct queue_entry *entry;
+@@ -1591,6 +1622,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+                        return true;
+        }
+ 
+       if (att->in_disc)
+               return bt_att_disc_cancel(att, id);
+
+        op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
+        if (op)
+                goto done;
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb
index 260eee1402..9a21f14fae 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb
@@ -1,5 +1,7 @@
 require bluez5.inc
+SRC_URI += " file://CVE-2020-27153.patch"
 SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c"
 SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2020-11-02 08:44:30 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-11-03 08:29:09 +0000
commit	27a6fcbd314e7c2fc6be4266ae8a256b5714ef36 (patch)
tree	700874dd2f2dae922f50cec81636d54034f8e409
parent	fb6eff16afd9b78706dd8a0973b83e152dceef8b (diff)
download	poky-27a6fcbd314e7c2fc6be4266ae8a256b5714ef36.tar.gz

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch new file mode 100644 index 0000000000..7b06dd2071 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch
@@ -0,0 +1,146 @@
		1	From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001
		2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
		3	Date: Wed, 15 Jul 2020 18:25:37 -0700
		4	Subject: [PATCH] shared/att: Fix possible crash on disconnect
		5
		6	If there are pending request while disconnecting they would be notified
		7	but clients may endup being freed in the proccess which will then be
		8	calling bt_att_cancel to cancal its requests causing the following
		9	trace:
		10
		11	Invalid read of size 4
		12	at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
		13	by 0x1D247B: disc_att_send_op (att.c:417)
		14	by 0x1CCC17: queue_remove_all (queue.c:354)
		15	by 0x1D47B7: disconnect_cb (att.c:635)
		16	by 0x1E0707: watch_callback (io-glib.c:170)
		17	by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
		18	by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
		19	by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
		20	by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
		21	by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
		22	by 0x12BC3B: main (main.c:770)
		23	Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
		24	at 0x484A2E0: free (vg_replace_malloc.c:540)
		25	by 0x1CCC17: queue_remove_all (queue.c:354)
		26	by 0x1CCC83: queue_destroy (queue.c:73)
		27	by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
		28	by 0x16497B: batt_free (battery.c:77)
		29	by 0x16497B: batt_remove (battery.c:286)
		30	by 0x1A0013: service_remove (service.c:176)
		31	by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
		32	by 0x1A9B7B: gatt_service_removed (device.c:3805)
		33	by 0x1CC90B: queue_foreach (queue.c:220)
		34	by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
		35	by 0x1DE387: notify_service_changed (gatt-db.c:361)
		36	by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
		37	by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
		38	by 0x1D674F: discovery_op_complete (gatt-client.c:388)
		39	by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
		40	by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
		41	by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
		42	by 0x1D247B: disc_att_send_op (att.c:417)
		43	by 0x1CCC17: queue_remove_all (queue.c:354)
		44	by 0x1D47B7: disconnect_cb (att.c:635)
		45
		46	Upstream-Status: Backport
		47	[https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a]
		48	CVE: CVE-2020-27153
		49	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		50	---
		51	src/shared/att.c \| 46 ++++++++++++++++++++++++++++++++++++++++------
		52	1 file changed, 40 insertions(+), 6 deletions(-)
		53
		54	diff --git a/src/shared/att.c b/src/shared/att.c
		55	index ed3af2920..58f23dfcb 100644
		56	--- a/src/shared/att.c
		57	+++ b/src/shared/att.c
		58	@@ -84,6 +84,7 @@ struct bt_att {
		59	struct queue req_queue; / Queued ATT protocol requests */
		60	struct queue ind_queue; / Queued ATT protocol indications */
		61	struct queue write_queue; / Queue of PDUs ready to send */
		62	+ bool in_disc; /* Cleanup queues on disconnect_cb */
		63
		64	bt_att_timeout_func_t timeout_callback;
		65	bt_att_destroy_func_t timeout_destroy;
		66	@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data)
		67	free(op);
		68	}
		69
		70	-static void cancel_att_send_op(struct att_send_op *op)
		71	+static void cancel_att_send_op(void *data)
		72	{
		73	+ struct att_send_op *op = data;
		74	+
		75	if (op->destroy)
		76	op->destroy(op->user_data);
		77
		78	@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io io, void user_data)
		79	/* Dettach channel */
		80	queue_remove(att->chans, chan);
		81
		82	- /* Notify request callbacks */
		83	- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
		84	- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
		85	- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
		86	-
		87	if (chan->pending_req) {
		88	disc_att_send_op(chan->pending_req);
		89	chan->pending_req = NULL;
		90	@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io io, void user_data)
		91
		92	bt_att_ref(att);
		93
		94	+ att->in_disc = true;
		95	+
		96	+ /* Notify request callbacks */
		97	+ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
		98	+ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
		99	+ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
		100	+
		101	+ att->in_disc = false;
		102	+
		103	queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
		104
		105	bt_att_unregister_all(att);
		106	@@ -1574,6 +1581,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id)
		107	return true;
		108	}
		109
		110	+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
		111	+{
		112	+ struct att_send_op *op;
		113	+
		114	+ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
		115	+ if (op)
		116	+ goto done;
		117	+
		118	+ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
		119	+ if (op)
		120	+ goto done;
		121	+
		122	+ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
		123	+
		124	+done:
		125	+ if (!op)
		126	+ return false;
		127	+
		128	+ /* Just cancel since disconnect_cb will be cleaning up */
		129	+ cancel_att_send_op(op);
		130	+
		131	+ return true;
		132	+}
		133	+
		134	bool bt_att_cancel(struct bt_att *att, unsigned int id)
		135	{
		136	const struct queue_entry *entry;
		137	@@ -1591,6 +1622,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
		138	return true;
		139	}
		140
		141	+ if (att->in_disc)
		142	+ return bt_att_disc_cancel(att, id);
		143	+
		144	op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
		145	if (op)
		146	goto done;


diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb index 260eee1402..9a21f14fae 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb
@@ -1,5 +1,7 @@
1	require bluez5.inc	1	require bluez5.inc
2		2
		3	SRC_URI += " file://CVE-2020-27153.patch"
		4
3	SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c"	5	SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c"
4	SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc"	6	SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc"
5		7