1 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
+From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+CVE: CVE-2022-0204
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0c25a97..20e14bc 100644
+--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
+@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+                                                server->authorize_data);
+ }
+ 
+static uint8_t check_length(uint16_t length, uint16_t offset)
+{
+       if (length > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+       if (offset > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_OFFSET;
+
+       if (length + offset > BT_ATT_MAX_VALUE_LEN)
+               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+       return 0;
+}
+
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                        uint16_t length, void *user_data)
+ {
+@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+       ecode = check_length(length, 0);
+       if (ecode)
+               goto error;
+
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+       ecode = check_length(length, offset);
+       if (ecode)
+               goto error;
+
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
	1	From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
	2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	3	Date: Tue, 8 Jun 2021 16:46:49 -0700
	4	Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
	5	writes
	6
	7	The code shall check if the prepare writes would append more the
	8	allowed maximum attribute length.
	9
	10	Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
	11
	12	Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
	13	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
	14	CVE: CVE-2022-0204
	15
	16	---
	17	src/shared/gatt-server.c \| 22 ++++++++++++++++++++++
	18	1 file changed, 22 insertions(+)
	19
	20	diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
	21	index 0c25a97..20e14bc 100644
	22	--- a/src/shared/gatt-server.c
	23	+++ b/src/shared/gatt-server.c
	24	@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
	25	server->authorize_data);
	26	}
	27
	28	+static uint8_t check_length(uint16_t length, uint16_t offset)
	29	+{
	30	+ if (length > BT_ATT_MAX_VALUE_LEN)
	31	+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
	32	+
	33	+ if (offset > BT_ATT_MAX_VALUE_LEN)
	34	+ return BT_ATT_ERROR_INVALID_OFFSET;
	35	+
	36	+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
	37	+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
	38	+
	39	+ return 0;
	40	+}
	41	+
	42	static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	43	uint16_t length, void *user_data)
	44	{
	45	@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
	46	(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
	47	handle);
	48
	49	+ ecode = check_length(length, 0);
	50	+ if (ecode)
	51	+ goto error;
	52	+
	53	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	54	if (ecode)
	55	goto error;
	56	@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
	57	util_debug(server->debug_callback, server->debug_data,
	58	"Prep Write Req - handle: 0x%04x", handle);
	59
	60	+ ecode = check_length(length, offset);
	61	+ if (ecode)
	62	+ goto error;
	63	+
	64	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
	65	if (ecode)
	66	goto error;