diff options
| author | Anuj Mittal <anuj.mittal@intel.com> | 2020-03-13 09:09:38 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-03-13 23:00:26 +0000 |
| commit | bed169a07b04a7dc003958fa309e6ff761f85a72 (patch) | |
| tree | 12e6c38a7eabf2513f1dfac55e51db47a567308d /meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch | |
| parent | 901a93885fccd2640b1205d84959a4e894f8f224 (diff) | |
| download | poky-bed169a07b04a7dc003958fa309e6ff761f85a72.tar.gz | |
bluez: fix CVE-2020-0556
It was discovered that BlueZ's HID and HOGP profiles implementations
don't specifically require bonding between the device and the host.
This creates an opportunity for an malicious device to connect to a
target host to either impersonate an existing HID device without
security or to cause an SDP or GATT service discovery to take place
which would allow HID reports to be injected to the input subsystem from
a non-bonded source.
(From OE-Core rev: d598f8eee0741148416e8660e10c716654205cb5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch')
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch new file mode 100644 index 0000000000..a6bf31e14b --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alain Michaud <alainm@chromium.org> | ||
| 3 | Date: Tue, 10 Mar 2020 02:35:16 +0000 | ||
| 4 | Subject: [PATCH 1/2] HOGP must only accept data from bonded devices. | ||
| 5 | |||
| 6 | HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. | ||
| 7 | |||
| 8 | Reference: | ||
| 9 | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm | ||
| 10 | |||
| 11 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1] | ||
| 12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
| 13 | CVE: CVE-2020-0556 | ||
| 14 | --- | ||
| 15 | profiles/input/hog.c | 4 ++++ | ||
| 16 | 1 file changed, 4 insertions(+) | ||
| 17 | |||
| 18 | diff --git a/profiles/input/hog.c b/profiles/input/hog.c | ||
| 19 | index 83c017dcb..dfac68921 100644 | ||
| 20 | --- a/profiles/input/hog.c | ||
| 21 | +++ b/profiles/input/hog.c | ||
| 22 | @@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) | ||
| 23 | return -EINVAL; | ||
| 24 | } | ||
| 25 | |||
| 26 | + /* HOGP 1.0 Section 6.1 requires bonding */ | ||
| 27 | + if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) | ||
| 28 | + return -ECONNREFUSED; | ||
| 29 | + | ||
| 30 | /* TODO: Replace GAttrib with bt_gatt_client */ | ||
| 31 | bt_hog_attach(dev->hog, attrib); | ||
| 32 | |||
| 33 | -- | ||
| 34 | 2.24.1 | ||
| 35 | |||