diff options
| author | Marta Rybczynska <rybczynska@gmail.com> | 2021-12-14 10:50:27 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-30 16:59:16 +0000 |
| commit | 30231b235487973f4e6b1921b428d938ec20bec8 (patch) | |
| tree | 8bd2fcf0e342aa3780cae168f56203c56686e14b /meta | |
| parent | 795339092f87672e4f68e4d3bc4cfd0e252d1831 (diff) | |
| download | poky-30231b235487973f4e6b1921b428d938ec20bec8.tar.gz | |
bluez: fix CVE-2021-0129
Improper access control in BlueZ may allow an authenticated user to
potentially enable information disclosure via adjacent access.
This issue can be fixed in the kernel, in BlueZ or both. This patch
fixes it on the BlueZ side, so that the configuration no longer
depends on the kernel fix.
https://nvd.nist.gov/vuln/detail/CVE-2021-012
(From OE-Core rev: 573ff24c5ba7836b4dd7f95b6e7c7244b80f9d00)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | 109 |
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 202a14dee0..34796fdd20 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
| @@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
| 52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ | 52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ |
| 53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ | 53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ |
| 54 | file://0001-test-gatt-Fix-hung-issue.patch \ | 54 | file://0001-test-gatt-Fix-hung-issue.patch \ |
| 55 | file://CVE-2021-0129.patch \ | ||
| 55 | file://CVE-2021-3588.patch \ | 56 | file://CVE-2021-3588.patch \ |
| 56 | " | 57 | " |
| 57 | S = "${WORKDIR}/bluez-${PV}" | 58 | S = "${WORKDIR}/bluez-${PV}" |
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | |||
| @@ -0,0 +1,109 @@ | |||
| 1 | From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
| 3 | Date: Tue, 2 Mar 2021 11:38:33 -0800 | ||
| 4 | Subject: shared/gatt-server: Fix not properly checking for secure flags | ||
| 5 | |||
| 6 | When passing the mask to check_permissions all valid permissions for | ||
| 7 | the operation must be set including BT_ATT_PERM_SECURE flags. | ||
| 8 | |||
| 9 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738] | ||
| 10 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
| 11 | CVE: CVE-2021-0129 | ||
| 12 | --- | ||
| 13 | src/shared/att-types.h | 8 ++++++++ | ||
| 14 | src/shared/gatt-server.c | 25 +++++++------------------ | ||
| 15 | 2 files changed, 15 insertions(+), 18 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/src/shared/att-types.h b/src/shared/att-types.h | ||
| 18 | index 7108b4e94..3adc05d9e 100644 | ||
| 19 | --- a/src/shared/att-types.h | ||
| 20 | +++ b/src/shared/att-types.h | ||
| 21 | @@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { | ||
| 22 | #define BT_ATT_PERM_WRITE_SECURE 0x0200 | ||
| 23 | #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ | ||
| 24 | BT_ATT_PERM_WRITE_SECURE) | ||
| 25 | +#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ | ||
| 26 | + BT_ATT_PERM_READ_AUTHEN | \ | ||
| 27 | + BT_ATT_PERM_READ_ENCRYPT | \ | ||
| 28 | + BT_ATT_PERM_READ_SECURE) | ||
| 29 | +#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ | ||
| 30 | + BT_ATT_PERM_WRITE_AUTHEN | \ | ||
| 31 | + BT_ATT_PERM_WRITE_ENCRYPT | \ | ||
| 32 | + BT_ATT_PERM_WRITE_SECURE) | ||
| 33 | |||
| 34 | /* GATT Characteristic Properties Bitfield values */ | ||
| 35 | #define BT_GATT_CHRC_PROP_BROADCAST 0x01 | ||
| 36 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
| 37 | index b5f7de7dc..970c35f94 100644 | ||
| 38 | --- a/src/shared/gatt-server.c | ||
| 39 | +++ b/src/shared/gatt-server.c | ||
| 40 | @@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) | ||
| 41 | return; | ||
| 42 | } | ||
| 43 | |||
| 44 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
| 45 | - BT_ATT_PERM_READ_AUTHEN | | ||
| 46 | - BT_ATT_PERM_READ_ENCRYPT); | ||
| 47 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
| 48 | if (ecode) | ||
| 49 | goto error; | ||
| 50 | |||
| 51 | @@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
| 52 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
| 53 | handle); | ||
| 54 | |||
| 55 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
| 56 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
| 57 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
| 58 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
| 59 | if (ecode) | ||
| 60 | goto error; | ||
| 61 | |||
| 62 | @@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, | ||
| 63 | opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", | ||
| 64 | handle); | ||
| 65 | |||
| 66 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
| 67 | - BT_ATT_PERM_READ_AUTHEN | | ||
| 68 | - BT_ATT_PERM_READ_ENCRYPT); | ||
| 69 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
| 70 | if (ecode) | ||
| 71 | goto error; | ||
| 72 | |||
| 73 | @@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, | ||
| 74 | goto error; | ||
| 75 | } | ||
| 76 | |||
| 77 | - ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | | ||
| 78 | - BT_ATT_PERM_READ_AUTHEN | | ||
| 79 | - BT_ATT_PERM_READ_ENCRYPT); | ||
| 80 | + ecode = check_permissions(data->server, next_attr, | ||
| 81 | + BT_ATT_PERM_READ_MASK); | ||
| 82 | if (ecode) | ||
| 83 | goto error; | ||
| 84 | |||
| 85 | @@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
| 86 | goto error; | ||
| 87 | } | ||
| 88 | |||
| 89 | - ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | | ||
| 90 | - BT_ATT_PERM_READ_AUTHEN | | ||
| 91 | - BT_ATT_PERM_READ_ENCRYPT); | ||
| 92 | + ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); | ||
| 93 | if (ecode) | ||
| 94 | goto error; | ||
| 95 | |||
| 96 | @@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
| 97 | util_debug(server->debug_callback, server->debug_data, | ||
| 98 | "Prep Write Req - handle: 0x%04x", handle); | ||
| 99 | |||
| 100 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
| 101 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
| 102 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
| 103 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
| 104 | if (ecode) | ||
| 105 | goto error; | ||
| 106 | |||
| 107 | -- | ||
| 108 | cgit 1.2.3-1.el7 | ||
| 109 | |||