diff options
author | Steve Sakoman <steve@sakoman.com> | 2021-07-14 05:30:20 -1000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-07-20 19:05:39 +0100 |
commit | 7dbdfcf51b2aadd08f1fff3b163564f71a3a8997 (patch) | |
tree | c13b2a4fd116a57ba2cf63e37bc9b605fa730891 /meta/recipes-connectivity | |
parent | 12725e44c1f6217f9d1b337e2d7c0094bd96017b (diff) | |
download | poky-7dbdfcf51b2aadd08f1fff3b163564f71a3a8997.tar.gz |
bluez: fix CVE-2021-3588
The cli_feat_read_cb() function in src/gatt-database.c does not perform
bounds checks on the 'offset' variable before using it as an index into
an array for reading
https://nvd.nist.gov/vuln/detail/CVE-2021-3588
(From OE-Core rev: 569362f338736a1c85f090909a9893d019bfce5d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5.inc | 1 | ||||
-rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch | 34 |
2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index f34ba0dce5..202a14dee0 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
@@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ | 52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ |
53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ | 53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ |
54 | file://0001-test-gatt-Fix-hung-issue.patch \ | 54 | file://0001-test-gatt-Fix-hung-issue.patch \ |
55 | file://CVE-2021-3588.patch \ | ||
55 | " | 56 | " |
56 | S = "${WORKDIR}/bluez-${PV}" | 57 | S = "${WORKDIR}/bluez-${PV}" |
57 | 58 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Mon, 4 Jan 2021 10:38:31 -0800 | ||
4 | Subject: [PATCH] gatt: Fix potential buffer out-of-bound | ||
5 | |||
6 | When client features is read check if the offset is within the cli_feat | ||
7 | bounds. | ||
8 | |||
9 | Fixes: https://github.com/bluez/bluez/issues/70 | ||
10 | |||
11 | +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a] | ||
12 | +Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
13 | +CVE: CVE-2021-3588 | ||
14 | |||
15 | --- | ||
16 | src/gatt-database.c | 5 +++++ | ||
17 | 1 file changed, 5 insertions(+) | ||
18 | |||
19 | diff --git a/src/gatt-database.c b/src/gatt-database.c | ||
20 | index 90cc4bade..f2d7b5821 100644 | ||
21 | --- a/src/gatt-database.c | ||
22 | +++ b/src/gatt-database.c | ||
23 | @@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, | ||
24 | goto done; | ||
25 | } | ||
26 | |||
27 | + if (offset >= sizeof(state->cli_feat)) { | ||
28 | + ecode = BT_ATT_ERROR_INVALID_OFFSET; | ||
29 | + goto done; | ||
30 | + } | ||
31 | + | ||
32 | len = sizeof(state->cli_feat) - offset; | ||
33 | value = len ? &state->cli_feat[offset] : NULL; | ||
34 | |||