bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250)

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. (From OE-Core rev: d25716ceb3ffcdfcfa54516596bd94bf5c050bac) (From OE-Core rev: c8f4cd337b9cc5c5c3fc40c6a6d8d2394fdc9ea3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2017-09-13 16:59:09 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:07:57 +0000
commit: 4992fc465d074ca04552080bf45d4efbfd61958e (patch)
tree: 07f82a368238d7afa12c145cc7954a099c74cc98
parent: 2b3db17bd855eb10bbb25fed8697167494ff575a (diff)
download: poky-4992fc465d074ca04552080bf45d4efbfd61958e.tar.gz
2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index ccb10aaad9..882873a486 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -24,6 +24,7 @@ SRC_URI = "\
    file://run-ptest \
    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
    file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
+    file://cve-2017-1000250.patch \
 "
 S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
new file mode 100644
index 0000000000..9fac961bcf
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@
+All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
+information disclosure vulnerability which allows remote attackers to obtain
+sensitive information from the bluetoothd process memory. This vulnerability
+lies in the processing of SDP search attribute requests.
+CVE: CVE-2017-1000250
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
+Check if there is enough data to continue otherwise return an error.
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+        } else {
+                /* continuation State exists -> get from cache */
+                sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-               if (pCache) {
+               if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+                        uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+                        pResponse = pCache->data;
+                        memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-- 
+cgit v1.1
author	Ross Burton <ross.burton@intel.com>	2017-09-13 16:59:09 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:07:57 +0000
commit	4992fc465d074ca04552080bf45d4efbfd61958e (patch)
tree	07f82a368238d7afa12c145cc7954a099c74cc98
parent	2b3db17bd855eb10bbb25fed8697167494ff575a (diff)
download	poky-4992fc465d074ca04552080bf45d4efbfd61958e.tar.gz

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index ccb10aaad9..882873a486 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -24,6 +24,7 @@ SRC_URI = "\
24	file://run-ptest \	24	file://run-ptest \
25	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \	25	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
26	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \	26	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
		27	file://cve-2017-1000250.patch \
27	"	28	"
28	S = "${WORKDIR}/bluez-${PV}"	29	S = "${WORKDIR}/bluez-${PV}"
29		30


diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch new file mode 100644 index 0000000000..9fac961bcf --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@
		1	All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
		2	information disclosure vulnerability which allows remote attackers to obtain
		3	sensitive information from the bluetoothd process memory. This vulnerability
		4	lies in the processing of SDP search attribute requests.
		5
		6	CVE: CVE-2017-1000250
		7	Upstream-Status: Backport
		8	Signed-off-by: Ross Burton <ross.burton@intel.com>
		9
		10	From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
		11	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
		12	Date: Wed, 13 Sep 2017 10:01:40 +0300
		13	Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
		14
		15	Check if there is enough data to continue otherwise return an error.
		16	---
		17	src/sdpd-request.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/src/sdpd-request.c b/src/sdpd-request.c
		21	index 1eefdce..318d044 100644
		22	--- a/src/sdpd-request.c
		23	+++ b/src/sdpd-request.c
		24	@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t req, sdp_buf_t buf)
		25	} else {
		26	/* continuation State exists -> get from cache */
		27	sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
		28	- if (pCache) {
		29	+ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
		30	uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
		31	pResponse = pCache->data;
		32	memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
		33	--
		34	cgit v1.1