diff options
Diffstat (limited to 'meta/recipes-connectivity/bluez5')
9 files changed, 541 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index f34ba0dce5..74fd344170 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ | |||
7 | file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ | 7 | file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ |
8 | file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" | 8 | file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" |
9 | DEPENDS = "dbus glib-2.0" | 9 | DEPENDS = "dbus glib-2.0" |
10 | RDEPENDS:${PN} += "dbus" | ||
10 | PROVIDES += "bluez-hcidump" | 11 | PROVIDES += "bluez-hcidump" |
11 | RPROVIDES_${PN} += "bluez-hcidump" | 12 | RPROVIDES_${PN} += "bluez-hcidump" |
12 | 13 | ||
@@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ | 53 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ |
53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ | 54 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ |
54 | file://0001-test-gatt-Fix-hung-issue.patch \ | 55 | file://0001-test-gatt-Fix-hung-issue.patch \ |
56 | file://CVE-2021-0129.patch \ | ||
57 | file://CVE-2021-3588.patch \ | ||
58 | file://CVE-2021-3658.patch \ | ||
59 | file://CVE-2022-0204.patch \ | ||
60 | file://CVE-2022-39176.patch \ | ||
61 | file://CVE-2022-3637.patch \ | ||
62 | file://CVE-2023-45866.patch \ | ||
55 | " | 63 | " |
56 | S = "${WORKDIR}/bluez-${PV}" | 64 | S = "${WORKDIR}/bluez-${PV}" |
57 | 65 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 2 Mar 2021 11:38:33 -0800 | ||
4 | Subject: shared/gatt-server: Fix not properly checking for secure flags | ||
5 | |||
6 | When passing the mask to check_permissions all valid permissions for | ||
7 | the operation must be set including BT_ATT_PERM_SECURE flags. | ||
8 | |||
9 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738] | ||
10 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
11 | CVE: CVE-2021-0129 | ||
12 | --- | ||
13 | src/shared/att-types.h | 8 ++++++++ | ||
14 | src/shared/gatt-server.c | 25 +++++++------------------ | ||
15 | 2 files changed, 15 insertions(+), 18 deletions(-) | ||
16 | |||
17 | diff --git a/src/shared/att-types.h b/src/shared/att-types.h | ||
18 | index 7108b4e94..3adc05d9e 100644 | ||
19 | --- a/src/shared/att-types.h | ||
20 | +++ b/src/shared/att-types.h | ||
21 | @@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { | ||
22 | #define BT_ATT_PERM_WRITE_SECURE 0x0200 | ||
23 | #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ | ||
24 | BT_ATT_PERM_WRITE_SECURE) | ||
25 | +#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ | ||
26 | + BT_ATT_PERM_READ_AUTHEN | \ | ||
27 | + BT_ATT_PERM_READ_ENCRYPT | \ | ||
28 | + BT_ATT_PERM_READ_SECURE) | ||
29 | +#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ | ||
30 | + BT_ATT_PERM_WRITE_AUTHEN | \ | ||
31 | + BT_ATT_PERM_WRITE_ENCRYPT | \ | ||
32 | + BT_ATT_PERM_WRITE_SECURE) | ||
33 | |||
34 | /* GATT Characteristic Properties Bitfield values */ | ||
35 | #define BT_GATT_CHRC_PROP_BROADCAST 0x01 | ||
36 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
37 | index b5f7de7dc..970c35f94 100644 | ||
38 | --- a/src/shared/gatt-server.c | ||
39 | +++ b/src/shared/gatt-server.c | ||
40 | @@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) | ||
41 | return; | ||
42 | } | ||
43 | |||
44 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
45 | - BT_ATT_PERM_READ_AUTHEN | | ||
46 | - BT_ATT_PERM_READ_ENCRYPT); | ||
47 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
48 | if (ecode) | ||
49 | goto error; | ||
50 | |||
51 | @@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
52 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
53 | handle); | ||
54 | |||
55 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
56 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
57 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
58 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
59 | if (ecode) | ||
60 | goto error; | ||
61 | |||
62 | @@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, | ||
63 | opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", | ||
64 | handle); | ||
65 | |||
66 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
67 | - BT_ATT_PERM_READ_AUTHEN | | ||
68 | - BT_ATT_PERM_READ_ENCRYPT); | ||
69 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
70 | if (ecode) | ||
71 | goto error; | ||
72 | |||
73 | @@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, | ||
74 | goto error; | ||
75 | } | ||
76 | |||
77 | - ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | | ||
78 | - BT_ATT_PERM_READ_AUTHEN | | ||
79 | - BT_ATT_PERM_READ_ENCRYPT); | ||
80 | + ecode = check_permissions(data->server, next_attr, | ||
81 | + BT_ATT_PERM_READ_MASK); | ||
82 | if (ecode) | ||
83 | goto error; | ||
84 | |||
85 | @@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
86 | goto error; | ||
87 | } | ||
88 | |||
89 | - ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | | ||
90 | - BT_ATT_PERM_READ_AUTHEN | | ||
91 | - BT_ATT_PERM_READ_ENCRYPT); | ||
92 | + ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); | ||
93 | if (ecode) | ||
94 | goto error; | ||
95 | |||
96 | @@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
97 | util_debug(server->debug_callback, server->debug_data, | ||
98 | "Prep Write Req - handle: 0x%04x", handle); | ||
99 | |||
100 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
101 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
102 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
103 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
104 | if (ecode) | ||
105 | goto error; | ||
106 | |||
107 | -- | ||
108 | cgit 1.2.3-1.el7 | ||
109 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Mon, 4 Jan 2021 10:38:31 -0800 | ||
4 | Subject: [PATCH] gatt: Fix potential buffer out-of-bound | ||
5 | |||
6 | When client features is read check if the offset is within the cli_feat | ||
7 | bounds. | ||
8 | |||
9 | Fixes: https://github.com/bluez/bluez/issues/70 | ||
10 | |||
11 | +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a] | ||
12 | +Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
13 | +CVE: CVE-2021-3588 | ||
14 | |||
15 | --- | ||
16 | src/gatt-database.c | 5 +++++ | ||
17 | 1 file changed, 5 insertions(+) | ||
18 | |||
19 | diff --git a/src/gatt-database.c b/src/gatt-database.c | ||
20 | index 90cc4bade..f2d7b5821 100644 | ||
21 | --- a/src/gatt-database.c | ||
22 | +++ b/src/gatt-database.c | ||
23 | @@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, | ||
24 | goto done; | ||
25 | } | ||
26 | |||
27 | + if (offset >= sizeof(state->cli_feat)) { | ||
28 | + ecode = BT_ATT_ERROR_INVALID_OFFSET; | ||
29 | + goto done; | ||
30 | + } | ||
31 | + | ||
32 | len = sizeof(state->cli_feat) - offset; | ||
33 | value = len ? &state->cli_feat[offset] : NULL; | ||
34 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch new file mode 100644 index 0000000000..1738ca13da --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Thu, 24 Jun 2021 16:32:04 -0700 | ||
4 | Subject: [PATCH] adapter: Fix storing discoverable setting | ||
5 | |||
6 | discoverable setting shall only be store when changed via Discoverable | ||
7 | property and not when discovery client set it as that be considered | ||
8 | temporary just for the lifetime of the discovery. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055] | ||
11 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
12 | --- | ||
13 | src/adapter.c | 35 ++++++++++++++++++++++------------- | ||
14 | 1 file changed, 22 insertions(+), 13 deletions(-) | ||
15 | |||
16 | diff --git a/src/adapter.c b/src/adapter.c | ||
17 | index 12e4ff5c0..663b778e4 100644 | ||
18 | --- a/src/adapter.c | ||
19 | +++ b/src/adapter.c | ||
20 | @@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) | ||
21 | if (changed_mask & MGMT_SETTING_DISCOVERABLE) { | ||
22 | g_dbus_emit_property_changed(dbus_conn, adapter->path, | ||
23 | ADAPTER_INTERFACE, "Discoverable"); | ||
24 | - store_adapter_info(adapter); | ||
25 | + /* Only persist discoverable setting if it was not set | ||
26 | + * temporarily by discovery. | ||
27 | + */ | ||
28 | + if (!adapter->discovery_discoverable) | ||
29 | + store_adapter_info(adapter); | ||
30 | btd_adv_manager_refresh(adapter->adv_manager); | ||
31 | } | ||
32 | |||
33 | @@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a, | ||
34 | static int update_discovery_filter(struct btd_adapter *adapter) | ||
35 | { | ||
36 | struct mgmt_cp_start_service_discovery *sd_cp; | ||
37 | - GSList *l; | ||
38 | - | ||
39 | |||
40 | DBG(""); | ||
41 | |||
42 | @@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter) | ||
43 | return -ENOMEM; | ||
44 | } | ||
45 | |||
46 | - for (l = adapter->discovery_list; l; l = g_slist_next(l)) { | ||
47 | - struct discovery_client *client = l->data; | ||
48 | + /* Only attempt to overwrite current discoverable setting when not | ||
49 | + * discoverable. | ||
50 | + */ | ||
51 | + if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) { | ||
52 | + GSList *l; | ||
53 | |||
54 | - if (!client->discovery_filter) | ||
55 | - continue; | ||
56 | + for (l = adapter->discovery_list; l; l = g_slist_next(l)) { | ||
57 | + struct discovery_client *client = l->data; | ||
58 | |||
59 | - if (client->discovery_filter->discoverable) | ||
60 | - break; | ||
61 | - } | ||
62 | + if (!client->discovery_filter) | ||
63 | + continue; | ||
64 | |||
65 | - set_discovery_discoverable(adapter, l ? true : false); | ||
66 | + if (client->discovery_filter->discoverable) { | ||
67 | + set_discovery_discoverable(adapter, true); | ||
68 | + break; | ||
69 | + } | ||
70 | + } | ||
71 | + } | ||
72 | |||
73 | /* | ||
74 | * If filters are equal, then don't update scan, except for when | ||
75 | @@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client) | ||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | - if (adapter->discovery_discoverable) | ||
80 | - set_discovery_discoverable(adapter, false); | ||
81 | + set_discovery_discoverable(adapter, false); | ||
82 | |||
83 | /* | ||
84 | * In the idle phase of a discovery, there is no need to stop it | ||
85 | @@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter) | ||
86 | g_free(adapter->current_discovery_filter); | ||
87 | adapter->current_discovery_filter = NULL; | ||
88 | |||
89 | + set_discovery_discoverable(adapter, false); | ||
90 | adapter->discovering = false; | ||
91 | |||
92 | while (adapter->connections) { | ||
93 | -- | ||
94 | 2.25.1 | ||
95 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 8 Jun 2021 16:46:49 -0700 | ||
4 | Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare | ||
5 | writes | ||
6 | |||
7 | The code shall check if the prepare writes would append more the | ||
8 | allowed maximum attribute length. | ||
9 | |||
10 | Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0] | ||
13 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
14 | CVE: CVE-2022-0204 | ||
15 | |||
16 | --- | ||
17 | src/shared/gatt-server.c | 22 ++++++++++++++++++++++ | ||
18 | 1 file changed, 22 insertions(+) | ||
19 | |||
20 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
21 | index 0c25a97..20e14bc 100644 | ||
22 | --- a/src/shared/gatt-server.c | ||
23 | +++ b/src/shared/gatt-server.c | ||
24 | @@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, | ||
25 | server->authorize_data); | ||
26 | } | ||
27 | |||
28 | +static uint8_t check_length(uint16_t length, uint16_t offset) | ||
29 | +{ | ||
30 | + if (length > BT_ATT_MAX_VALUE_LEN) | ||
31 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
32 | + | ||
33 | + if (offset > BT_ATT_MAX_VALUE_LEN) | ||
34 | + return BT_ATT_ERROR_INVALID_OFFSET; | ||
35 | + | ||
36 | + if (length + offset > BT_ATT_MAX_VALUE_LEN) | ||
37 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
38 | + | ||
39 | + return 0; | ||
40 | +} | ||
41 | + | ||
42 | static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
43 | uint16_t length, void *user_data) | ||
44 | { | ||
45 | @@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
46 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
47 | handle); | ||
48 | |||
49 | + ecode = check_length(length, 0); | ||
50 | + if (ecode) | ||
51 | + goto error; | ||
52 | + | ||
53 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
54 | if (ecode) | ||
55 | goto error; | ||
56 | @@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
57 | util_debug(server->debug_callback, server->debug_data, | ||
58 | "Prep Write Req - handle: 0x%04x", handle); | ||
59 | |||
60 | + ecode = check_length(length, offset); | ||
61 | + if (ecode) | ||
62 | + goto error; | ||
63 | + | ||
64 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
65 | if (ecode) | ||
66 | goto error; | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch new file mode 100644 index 0000000000..4ca60f99d5 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 27 Oct 2022 09:51:27 +0530 | ||
4 | Subject: [PATCH] CVE-2022-3637 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f] | ||
7 | CVE: CVE-2022-3637 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | monitor: Fix crash when using RTT backend | ||
11 | |||
12 | This fix regression introduced by "monitor: Fix memory leaks". | ||
13 | J-Link shared library is in use if jlink_init() returns 0 and thus | ||
14 | handle shall not be closed. | ||
15 | --- | ||
16 | monitor/jlink.c | 5 ++++- | ||
17 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/monitor/jlink.c b/monitor/jlink.c | ||
20 | index afa9d93..5bd4aed 100644 | ||
21 | --- a/monitor/jlink.c | ||
22 | +++ b/monitor/jlink.c | ||
23 | @@ -120,9 +120,12 @@ int jlink_init(void) | ||
24 | !jlink.tif_select || !jlink.setspeed || | ||
25 | !jlink.connect || !jlink.getsn || | ||
26 | !jlink.emu_getproductname || | ||
27 | - !jlink.rtterminal_control || !jlink.rtterminal_read) | ||
28 | + !jlink.rtterminal_control || !jlink.rtterminal_read) { | ||
29 | + dlclose(so); | ||
30 | return -EIO; | ||
31 | + } | ||
32 | |||
33 | + /* don't dlclose(so) here cause symbols from it are in use now */ | ||
34 | return 0; | ||
35 | } | ||
36 | |||
37 | -- | ||
38 | 2.25.1 | ||
39 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 28 Sep 2022 10:45:53 +0530 | ||
4 | Subject: [PATCH] CVE-2022-39176 | ||
5 | |||
6 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6] | ||
7 | CVE: CVE-2022-39176 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- | ||
11 | profiles/audio/avrcp.c | 8 ++++++ | ||
12 | 2 files changed, 44 insertions(+), 20 deletions(-) | ||
13 | |||
14 | diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c | ||
15 | index 782268c..0adf413 100644 | ||
16 | --- a/profiles/audio/avdtp.c | ||
17 | +++ b/profiles/audio/avdtp.c | ||
18 | @@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, | ||
19 | return NULL; | ||
20 | } | ||
21 | |||
22 | -static GSList *caps_to_list(uint8_t *data, int size, | ||
23 | +static GSList *caps_to_list(uint8_t *data, size_t size, | ||
24 | struct avdtp_service_capability **codec, | ||
25 | gboolean *delay_reporting) | ||
26 | { | ||
27 | + struct avdtp_service_capability *cap; | ||
28 | GSList *caps; | ||
29 | - int processed; | ||
30 | |||
31 | if (delay_reporting) | ||
32 | *delay_reporting = FALSE; | ||
33 | |||
34 | - for (processed = 0, caps = NULL; processed + 2 <= size;) { | ||
35 | - struct avdtp_service_capability *cap; | ||
36 | - uint8_t length, category; | ||
37 | + if (size < sizeof(*cap)) | ||
38 | + return NULL; | ||
39 | + | ||
40 | + for (caps = NULL; size >= sizeof(*cap);) { | ||
41 | + struct avdtp_service_capability *cpy; | ||
42 | |||
43 | - category = data[0]; | ||
44 | - length = data[1]; | ||
45 | + cap = (struct avdtp_service_capability *)data; | ||
46 | |||
47 | - if (processed + 2 + length > size) { | ||
48 | + if (sizeof(*cap) + cap->length > size) { | ||
49 | error("Invalid capability data in getcap resp"); | ||
50 | break; | ||
51 | } | ||
52 | |||
53 | - cap = g_malloc(sizeof(struct avdtp_service_capability) + | ||
54 | - length); | ||
55 | - memcpy(cap, data, 2 + length); | ||
56 | + if (cap->category == AVDTP_MEDIA_CODEC && | ||
57 | + cap->length < sizeof(**codec)) { | ||
58 | + error("Invalid codec data in getcap resp"); | ||
59 | + break; | ||
60 | + } | ||
61 | + | ||
62 | + cpy = btd_malloc(sizeof(*cpy) + cap->length); | ||
63 | + memcpy(cpy, cap, sizeof(*cap) + cap->length); | ||
64 | |||
65 | - processed += 2 + length; | ||
66 | - data += 2 + length; | ||
67 | + size -= sizeof(*cap) + cap->length; | ||
68 | + data += sizeof(*cap) + cap->length; | ||
69 | |||
70 | - caps = g_slist_append(caps, cap); | ||
71 | + caps = g_slist_append(caps, cpy); | ||
72 | |||
73 | - if (category == AVDTP_MEDIA_CODEC && | ||
74 | - length >= | ||
75 | - sizeof(struct avdtp_media_codec_capability)) | ||
76 | - *codec = cap; | ||
77 | - else if (category == AVDTP_DELAY_REPORTING && delay_reporting) | ||
78 | - *delay_reporting = TRUE; | ||
79 | + switch (cap->category) { | ||
80 | + case AVDTP_MEDIA_CODEC: | ||
81 | + if (codec) | ||
82 | + *codec = cpy; | ||
83 | + break; | ||
84 | + case AVDTP_DELAY_REPORTING: | ||
85 | + if (delay_reporting) | ||
86 | + *delay_reporting = TRUE; | ||
87 | + break; | ||
88 | + } | ||
89 | } | ||
90 | |||
91 | return caps; | ||
92 | @@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, | ||
93 | &stream->codec, | ||
94 | &stream->delay_reporting); | ||
95 | |||
96 | + if (!stream->caps || !stream->codec) { | ||
97 | + err = AVDTP_UNSUPPORTED_CONFIGURATION; | ||
98 | + category = 0x00; | ||
99 | + goto failed_stream; | ||
100 | + } | ||
101 | + | ||
102 | /* Verify that the Media Transport capability's length = 0. Reject otherwise */ | ||
103 | for (l = stream->caps; l != NULL; l = g_slist_next(l)) { | ||
104 | struct avdtp_service_capability *cap = l->data; | ||
105 | diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c | ||
106 | index d9471c0..0233d53 100644 | ||
107 | --- a/profiles/audio/avrcp.c | ||
108 | +++ b/profiles/audio/avrcp.c | ||
109 | @@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, | ||
110 | goto err_metadata; | ||
111 | } | ||
112 | |||
113 | + operands += sizeof(*pdu); | ||
114 | + operand_count -= sizeof(*pdu); | ||
115 | + | ||
116 | + if (pdu->params_len != operand_count) { | ||
117 | + DBG("AVRCP PDU parameters length don't match"); | ||
118 | + pdu->params_len = operand_count; | ||
119 | + } | ||
120 | + | ||
121 | for (handler = session->control_handlers; handler->pdu_id; handler++) { | ||
122 | if (handler->pdu_id == pdu->pdu_id) | ||
123 | break; | ||
124 | -- | ||
125 | 2.25.1 | ||
126 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch new file mode 100644 index 0000000000..43670ab2b3 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 10 Oct 2023 13:03:12 -0700 | ||
4 | Subject: input.conf: Change default of ClassicBondedOnly | ||
5 | |||
6 | This changes the default of ClassicBondedOnly since defaulting to false | ||
7 | is not inline with HID specification which mandates the of Security Mode | ||
8 | 4: | ||
9 | |||
10 | BLUETOOTH SPECIFICATION Page 84 of 123 | ||
11 | Human Interface Device (HID) Profile: | ||
12 | |||
13 | 5.4.3.4.2 Security Modes | ||
14 | Bluetooth HID Hosts shall use Security Mode 4 when interoperating with | ||
15 | Bluetooth HID devices that are compliant to the Bluetooth Core | ||
16 | Specification v2.1+EDR[6]. | ||
17 | |||
18 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675] | ||
19 | CVE: CVE-2023-45866 | ||
20 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
21 | --- | ||
22 | profiles/input/device.c | 2 +- | ||
23 | profiles/input/input.conf | 2 +- | ||
24 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/profiles/input/device.c b/profiles/input/device.c | ||
27 | index 375314e..0236488 100644 | ||
28 | --- a/profiles/input/device.c | ||
29 | +++ b/profiles/input/device.c | ||
30 | @@ -93,7 +93,7 @@ struct input_device { | ||
31 | |||
32 | static int idle_timeout = 0; | ||
33 | static bool uhid_enabled = false; | ||
34 | -static bool classic_bonded_only = false; | ||
35 | +static bool classic_bonded_only = true; | ||
36 | |||
37 | void input_set_idle_timeout(int timeout) | ||
38 | { | ||
39 | diff --git a/profiles/input/input.conf b/profiles/input/input.conf | ||
40 | index 4c70bc5..d8645f3 100644 | ||
41 | --- a/profiles/input/input.conf | ||
42 | +++ b/profiles/input/input.conf | ||
43 | @@ -17,7 +17,7 @@ | ||
44 | # platforms may want to make sure that input connections only come from bonded | ||
45 | # device connections. Several older mice have been known for not supporting | ||
46 | # pairing/encryption. | ||
47 | -# Defaults to false to maximize device compatibility. | ||
48 | +# Defaults to true for security. | ||
49 | #ClassicBondedOnly=true | ||
50 | |||
51 | # LE upgrade security | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb index 8190924562..be74a35e0a 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb | |||
@@ -3,6 +3,16 @@ require bluez5.inc | |||
3 | SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" | 3 | SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" |
4 | SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" | 4 | SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" |
5 | 5 | ||
6 | # These issues have kernel fixes rather than bluez fixes so exclude here | ||
7 | CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" | ||
8 | |||
9 | # Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b | ||
10 | # and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177 | ||
11 | # already backport in CVE-2022-39176.patch | ||
12 | # https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968 | ||
13 | |||
14 | CVE_CHECK_WHITELIST += "CVE-2022-39177" | ||
15 | |||
6 | # noinst programs in Makefile.tools that are conditional on READLINE | 16 | # noinst programs in Makefile.tools that are conditional on READLINE |
7 | # support | 17 | # support |
8 | NOINST_TOOLS_READLINE ?= " \ | 18 | NOINST_TOOLS_READLINE ?= " \ |