1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
new file mode 100644
index 0000000000..b39730dc10
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+CVE: CVE-2021-0129
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
+++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE       0x0200
+ #define BT_ATT_PERM_SECURE             (BT_ATT_PERM_READ_SECURE | \
+                                        BT_ATT_PERM_WRITE_SECURE)
+#define BT_ATT_PERM_READ_MASK          (BT_ATT_PERM_READ | \
+                                       BT_ATT_PERM_READ_AUTHEN | \
+                                       BT_ATT_PERM_READ_ENCRYPT | \
+                                       BT_ATT_PERM_READ_SECURE)
+#define BT_ATT_PERM_WRITE_MASK         (BT_ATT_PERM_WRITE | \
+                                       BT_ATT_PERM_WRITE_AUTHEN | \
+                                       BT_ATT_PERM_WRITE_ENCRYPT | \
+                                       BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST                    0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+                return;
+        }
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+                        opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+                        handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, next_attr,
+                                               BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+-- 
+cgit 1.2.3-1.el7

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
	1	From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Tue, 2 Mar 2021 11:38:33 -0800
	4	Subject: shared/gatt-server: Fix not properly checking for secure flags
	5
	6	When passing the mask to check_permissions all valid permissions for
	7	the operation must be set including BT_ATT_PERM_SECURE flags.
	8
	9	Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
	10	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	11	CVE: CVE-2021-0129
	12	---
	13	src/shared/att-types.h \| 8 ++++++++
	14	src/shared/gatt-server.c \| 25 +++++++------------------
	15	2 files changed, 15 insertions(+), 18 deletions(-)
	16
	17	diff --git a/src/shared/att-types.h b/src/shared/att-types.h
	18	index 7108b4e94..3adc05d9e 100644
	19	--- a/src/shared/att-types.h
	20	+++ b/src/shared/att-types.h
	21	@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
	22	#define BT_ATT_PERM_WRITE_SECURE 0x0200
	23	#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE \| \
	24	BT_ATT_PERM_WRITE_SECURE)
	25	+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ \| \
	26	+ BT_ATT_PERM_READ_AUTHEN \| \
	27	+ BT_ATT_PERM_READ_ENCRYPT \| \
	28	+ BT_ATT_PERM_READ_SECURE)
	29	+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE \| \
	30	+ BT_ATT_PERM_WRITE_AUTHEN \| \
	31	+ BT_ATT_PERM_WRITE_ENCRYPT \| \
	32	+ BT_ATT_PERM_WRITE_SECURE)
	33
	34	/* GATT Characteristic Properties Bitfield values */
	35	#define BT_GATT_CHRC_PROP_BROADCAST 0x01
	36	diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
	37	index b5f7de7dc..970c35f94 100644
	38	--- a/src/shared/gatt-server.c
	39	+++ b/src/shared/gatt-server.c
	40	@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
	41	return;
	42	}
	43
	44	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
	45	- BT_ATT_PERM_READ_AUTHEN \|
	46	- BT_ATT_PERM_READ_ENCRYPT);
	47	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
	48	if (ecode)
	49	goto error;
	50
	51	@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	52	(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
	53	handle);
	54
	55	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
	56	- BT_ATT_PERM_WRITE_AUTHEN \|
	57	- BT_ATT_PERM_WRITE_ENCRYPT);
	58	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	59	if (ecode)
	60	goto error;
	61
	62	@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
	63	opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
	64	handle);
	65
	66	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
	67	- BT_ATT_PERM_READ_AUTHEN \|
	68	- BT_ATT_PERM_READ_ENCRYPT);
	69	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
	70	if (ecode)
	71	goto error;
	72
	73	@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
	74	goto error;
	75	}
	76
	77	- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ \|
	78	- BT_ATT_PERM_READ_AUTHEN \|
	79	- BT_ATT_PERM_READ_ENCRYPT);
	80	+ ecode = check_permissions(data->server, next_attr,
	81	+ BT_ATT_PERM_READ_MASK);
	82	if (ecode)
	83	goto error;
	84
	85	@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
	86	goto error;
	87	}
	88
	89	- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ \|
	90	- BT_ATT_PERM_READ_AUTHEN \|
	91	- BT_ATT_PERM_READ_ENCRYPT);
	92	+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
	93	if (ecode)
	94	goto error;
	95
	96	@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
	97	util_debug(server->debug_callback, server->debug_data,
	98	"Prep Write Req - handle: 0x%04x", handle);
	99
	100	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
	101	- BT_ATT_PERM_WRITE_AUTHEN \|
	102	- BT_ATT_PERM_WRITE_ENCRYPT);
	103	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	104	if (ecode)
	105	goto error;
	106
	107	--
	108	cgit 1.2.3-1.el7
	109