bluez: fix CVE-2021-3588

The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading https://nvd.nist.gov/vuln/detail/CVE-2021-3588 (From OE-Core rev: 569362f338736a1c85f090909a9893d019bfce5d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Steve Sakoman <steve@sakoman.com> 2021-07-14 05:30:20 -1000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-20 19:05:39 +0100
commit: 7dbdfcf51b2aadd08f1fff3b163564f71a3a8997 (patch)
tree: c13b2a4fd116a57ba2cf63e37bc9b605fa730891 /meta
parent: 12725e44c1f6217f9d1b337e2d7c0094bd96017b (diff)
download: poky-7dbdfcf51b2aadd08f1fff3b163564f71a3a8997.tar.gz
2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..202a14dee0 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
           file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
           file://0001-test-gatt-Fix-hung-issue.patch \
+           file://CVE-2021-3588.patch \
           "
 S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+When client features is read check if the offset is within the cli_feat
+bounds.
+Fixes: https://github.com/bluez/bluez/issues/70
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+CVE: CVE-2021-3588
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
+++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+                goto done;
+        }
+ 
+       if (offset >= sizeof(state->cli_feat)) {
+               ecode = BT_ATT_ERROR_INVALID_OFFSET;
+               goto done;
+       }
+
+        len = sizeof(state->cli_feat) - offset;
+        value = len ? &state->cli_feat[offset] : NULL;
+
author	Steve Sakoman <steve@sakoman.com>	2021-07-14 05:30:20 -1000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-20 19:05:39 +0100
commit	7dbdfcf51b2aadd08f1fff3b163564f71a3a8997 (patch)
tree	c13b2a4fd116a57ba2cf63e37bc9b605fa730891 /meta
parent	12725e44c1f6217f9d1b337e2d7c0094bd96017b (diff)
download	poky-7dbdfcf51b2aadd08f1fff3b163564f71a3a8997.tar.gz

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index f34ba0dce5..202a14dee0 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
52	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \	52	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
53	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \	53	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
54	file://0001-test-gatt-Fix-hung-issue.patch \	54	file://0001-test-gatt-Fix-hung-issue.patch \
		55	file://CVE-2021-3588.patch \
55	"	56	"
56	S = "${WORKDIR}/bluez-${PV}"	57	S = "${WORKDIR}/bluez-${PV}"
57		58


diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
		1	From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
		2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
		3	Date: Mon, 4 Jan 2021 10:38:31 -0800
		4	Subject: [PATCH] gatt: Fix potential buffer out-of-bound
		5
		6	When client features is read check if the offset is within the cli_feat
		7	bounds.
		8
		9	Fixes: https://github.com/bluez/bluez/issues/70
		10
		11	+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
		12	+Signed-off-by: Steve Sakoman <steve@sakoman.com>
		13	+CVE: CVE-2021-3588
		14
		15	---
		16	src/gatt-database.c \| 5 +++++
		17	1 file changed, 5 insertions(+)
		18
		19	diff --git a/src/gatt-database.c b/src/gatt-database.c
		20	index 90cc4bade..f2d7b5821 100644
		21	--- a/src/gatt-database.c
		22	+++ b/src/gatt-database.c
		23	@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
		24	goto done;
		25	}
		26
		27	+ if (offset >= sizeof(state->cli_feat)) {
		28	+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
		29	+ goto done;
		30	+ }
		31	+
		32	len = sizeof(state->cli_feat) - offset;
		33	value = len ? &state->cli_feat[offset] : NULL;
		34