summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2017-09-13 20:11:52 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-14 11:35:46 +0100
commit9376bbc8a04ced3c0973805e6cb2529b6db03076 (patch)
tree4513d005c0ee69c1f987f6856e8015eecd121e82
parent41c51dc28e881f8a12c62725a4d823db804a5cb1 (diff)
downloadpoky-9376bbc8a04ced3c0973805e6cb2529b6db03076.tar.gz
bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250)
All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. (From OE-Core rev: 7351e0b260876b9bbc8660c2bb4173ab4c130f8b) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5.inc1
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch34
2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 527e4033fe..2ae4553d48 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
50 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ 50 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
51 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ 51 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
52 file://0001-hciattach-bcm43xx-fix-the-delay-timer-for-firmware-d.patch \ 52 file://0001-hciattach-bcm43xx-fix-the-delay-timer-for-firmware-d.patch \
53 file://cve-2017-1000250.patch \
53" 54"
54S = "${WORKDIR}/bluez-${PV}" 55S = "${WORKDIR}/bluez-${PV}"
55 56
diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
new file mode 100644
index 0000000000..9fac961bcf
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@
1All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
2information disclosure vulnerability which allows remote attackers to obtain
3sensitive information from the bluetoothd process memory. This vulnerability
4lies in the processing of SDP search attribute requests.
5
6CVE: CVE-2017-1000250
7Upstream-Status: Backport
8Signed-off-by: Ross Burton <ross.burton@intel.com>
9
10From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
11From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
12Date: Wed, 13 Sep 2017 10:01:40 +0300
13Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
14
15Check if there is enough data to continue otherwise return an error.
16---
17 src/sdpd-request.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/src/sdpd-request.c b/src/sdpd-request.c
21index 1eefdce..318d044 100644
22--- a/src/sdpd-request.c
23+++ b/src/sdpd-request.c
24@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
25 } else {
26 /* continuation State exists -> get from cache */
27 sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
28- if (pCache) {
29+ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
30 uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
31 pResponse = pCache->data;
32 memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
33--
34cgit v1.1