diff options
Diffstat (limited to 'meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch')
-rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 2 Mar 2021 11:38:33 -0800 | ||
4 | Subject: shared/gatt-server: Fix not properly checking for secure flags | ||
5 | |||
6 | When passing the mask to check_permissions all valid permissions for | ||
7 | the operation must be set including BT_ATT_PERM_SECURE flags. | ||
8 | |||
9 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738] | ||
10 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
11 | CVE: CVE-2021-0129 | ||
12 | --- | ||
13 | src/shared/att-types.h | 8 ++++++++ | ||
14 | src/shared/gatt-server.c | 25 +++++++------------------ | ||
15 | 2 files changed, 15 insertions(+), 18 deletions(-) | ||
16 | |||
17 | diff --git a/src/shared/att-types.h b/src/shared/att-types.h | ||
18 | index 7108b4e94..3adc05d9e 100644 | ||
19 | --- a/src/shared/att-types.h | ||
20 | +++ b/src/shared/att-types.h | ||
21 | @@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { | ||
22 | #define BT_ATT_PERM_WRITE_SECURE 0x0200 | ||
23 | #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ | ||
24 | BT_ATT_PERM_WRITE_SECURE) | ||
25 | +#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ | ||
26 | + BT_ATT_PERM_READ_AUTHEN | \ | ||
27 | + BT_ATT_PERM_READ_ENCRYPT | \ | ||
28 | + BT_ATT_PERM_READ_SECURE) | ||
29 | +#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ | ||
30 | + BT_ATT_PERM_WRITE_AUTHEN | \ | ||
31 | + BT_ATT_PERM_WRITE_ENCRYPT | \ | ||
32 | + BT_ATT_PERM_WRITE_SECURE) | ||
33 | |||
34 | /* GATT Characteristic Properties Bitfield values */ | ||
35 | #define BT_GATT_CHRC_PROP_BROADCAST 0x01 | ||
36 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
37 | index b5f7de7dc..970c35f94 100644 | ||
38 | --- a/src/shared/gatt-server.c | ||
39 | +++ b/src/shared/gatt-server.c | ||
40 | @@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) | ||
41 | return; | ||
42 | } | ||
43 | |||
44 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
45 | - BT_ATT_PERM_READ_AUTHEN | | ||
46 | - BT_ATT_PERM_READ_ENCRYPT); | ||
47 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
48 | if (ecode) | ||
49 | goto error; | ||
50 | |||
51 | @@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
52 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
53 | handle); | ||
54 | |||
55 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
56 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
57 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
58 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
59 | if (ecode) | ||
60 | goto error; | ||
61 | |||
62 | @@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, | ||
63 | opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", | ||
64 | handle); | ||
65 | |||
66 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
67 | - BT_ATT_PERM_READ_AUTHEN | | ||
68 | - BT_ATT_PERM_READ_ENCRYPT); | ||
69 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
70 | if (ecode) | ||
71 | goto error; | ||
72 | |||
73 | @@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, | ||
74 | goto error; | ||
75 | } | ||
76 | |||
77 | - ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | | ||
78 | - BT_ATT_PERM_READ_AUTHEN | | ||
79 | - BT_ATT_PERM_READ_ENCRYPT); | ||
80 | + ecode = check_permissions(data->server, next_attr, | ||
81 | + BT_ATT_PERM_READ_MASK); | ||
82 | if (ecode) | ||
83 | goto error; | ||
84 | |||
85 | @@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
86 | goto error; | ||
87 | } | ||
88 | |||
89 | - ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | | ||
90 | - BT_ATT_PERM_READ_AUTHEN | | ||
91 | - BT_ATT_PERM_READ_ENCRYPT); | ||
92 | + ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); | ||
93 | if (ecode) | ||
94 | goto error; | ||
95 | |||
96 | @@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
97 | util_debug(server->debug_callback, server->debug_data, | ||
98 | "Prep Write Req - handle: 0x%04x", handle); | ||
99 | |||
100 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
101 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
102 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
103 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
104 | if (ecode) | ||
105 | goto error; | ||
106 | |||
107 | -- | ||
108 | cgit 1.2.3-1.el7 | ||
109 | |||