diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-09-28 11:33:24 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-30 16:34:52 +0100 |
| commit | e9ad2aab5ce2b0ab4b6306d6fadd93bdfcd63ae2 (patch) | |
| tree | 8f08c5dc60712d28c8853ea9a4bf9fc91501c04c /meta | |
| parent | fb7acc1b214cef0aa5863daeb2fec18759791476 (diff) | |
| download | poky-e9ad2aab5ce2b0ab4b6306d6fadd93bdfcd63ae2.tar.gz | |
bluez: CVE-2022-39176 BlueZ allows physically proximate attackers
Source: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
MR: 122140
Type: Security Fix
Disposition: Backport from https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6
ChangeID: b989c7670a9b2bd1d11221e981eab0d162f3271c
Description:
CVE-2022-39176 bluez: BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.
Affects "bluez < 5.59"
(From OE-Core rev: 3750b576035d87633c69c0a5fc6de4854179f9b0)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch | 126 |
2 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 4d4348898a..eaac9ee849 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
| @@ -56,6 +56,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
| 56 | file://CVE-2021-3588.patch \ | 56 | file://CVE-2021-3588.patch \ |
| 57 | file://CVE-2021-3658.patch \ | 57 | file://CVE-2021-3658.patch \ |
| 58 | file://CVE-2022-0204.patch \ | 58 | file://CVE-2022-0204.patch \ |
| 59 | file://CVE-2022-39176.patch \ | ||
| 59 | " | 60 | " |
| 60 | S = "${WORKDIR}/bluez-${PV}" | 61 | S = "${WORKDIR}/bluez-${PV}" |
| 61 | 62 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch | |||
| @@ -0,0 +1,126 @@ | |||
| 1 | From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 3 | Date: Wed, 28 Sep 2022 10:45:53 +0530 | ||
| 4 | Subject: [PATCH] CVE-2022-39176 | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6] | ||
| 7 | CVE: CVE-2022-39176 | ||
| 8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 9 | --- | ||
| 10 | profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- | ||
| 11 | profiles/audio/avrcp.c | 8 ++++++ | ||
| 12 | 2 files changed, 44 insertions(+), 20 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c | ||
| 15 | index 782268c..0adf413 100644 | ||
| 16 | --- a/profiles/audio/avdtp.c | ||
| 17 | +++ b/profiles/audio/avdtp.c | ||
| 18 | @@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, | ||
| 19 | return NULL; | ||
| 20 | } | ||
| 21 | |||
| 22 | -static GSList *caps_to_list(uint8_t *data, int size, | ||
| 23 | +static GSList *caps_to_list(uint8_t *data, size_t size, | ||
| 24 | struct avdtp_service_capability **codec, | ||
| 25 | gboolean *delay_reporting) | ||
| 26 | { | ||
| 27 | + struct avdtp_service_capability *cap; | ||
| 28 | GSList *caps; | ||
| 29 | - int processed; | ||
| 30 | |||
| 31 | if (delay_reporting) | ||
| 32 | *delay_reporting = FALSE; | ||
| 33 | |||
| 34 | - for (processed = 0, caps = NULL; processed + 2 <= size;) { | ||
| 35 | - struct avdtp_service_capability *cap; | ||
| 36 | - uint8_t length, category; | ||
| 37 | + if (size < sizeof(*cap)) | ||
| 38 | + return NULL; | ||
| 39 | + | ||
| 40 | + for (caps = NULL; size >= sizeof(*cap);) { | ||
| 41 | + struct avdtp_service_capability *cpy; | ||
| 42 | |||
| 43 | - category = data[0]; | ||
| 44 | - length = data[1]; | ||
| 45 | + cap = (struct avdtp_service_capability *)data; | ||
| 46 | |||
| 47 | - if (processed + 2 + length > size) { | ||
| 48 | + if (sizeof(*cap) + cap->length > size) { | ||
| 49 | error("Invalid capability data in getcap resp"); | ||
| 50 | break; | ||
| 51 | } | ||
| 52 | |||
| 53 | - cap = g_malloc(sizeof(struct avdtp_service_capability) + | ||
| 54 | - length); | ||
| 55 | - memcpy(cap, data, 2 + length); | ||
| 56 | + if (cap->category == AVDTP_MEDIA_CODEC && | ||
| 57 | + cap->length < sizeof(**codec)) { | ||
| 58 | + error("Invalid codec data in getcap resp"); | ||
| 59 | + break; | ||
| 60 | + } | ||
| 61 | + | ||
| 62 | + cpy = btd_malloc(sizeof(*cpy) + cap->length); | ||
| 63 | + memcpy(cpy, cap, sizeof(*cap) + cap->length); | ||
| 64 | |||
| 65 | - processed += 2 + length; | ||
| 66 | - data += 2 + length; | ||
| 67 | + size -= sizeof(*cap) + cap->length; | ||
| 68 | + data += sizeof(*cap) + cap->length; | ||
| 69 | |||
| 70 | - caps = g_slist_append(caps, cap); | ||
| 71 | + caps = g_slist_append(caps, cpy); | ||
| 72 | |||
| 73 | - if (category == AVDTP_MEDIA_CODEC && | ||
| 74 | - length >= | ||
| 75 | - sizeof(struct avdtp_media_codec_capability)) | ||
| 76 | - *codec = cap; | ||
| 77 | - else if (category == AVDTP_DELAY_REPORTING && delay_reporting) | ||
| 78 | - *delay_reporting = TRUE; | ||
| 79 | + switch (cap->category) { | ||
| 80 | + case AVDTP_MEDIA_CODEC: | ||
| 81 | + if (codec) | ||
| 82 | + *codec = cpy; | ||
| 83 | + break; | ||
| 84 | + case AVDTP_DELAY_REPORTING: | ||
| 85 | + if (delay_reporting) | ||
| 86 | + *delay_reporting = TRUE; | ||
| 87 | + break; | ||
| 88 | + } | ||
| 89 | } | ||
| 90 | |||
| 91 | return caps; | ||
| 92 | @@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, | ||
| 93 | &stream->codec, | ||
| 94 | &stream->delay_reporting); | ||
| 95 | |||
| 96 | + if (!stream->caps || !stream->codec) { | ||
| 97 | + err = AVDTP_UNSUPPORTED_CONFIGURATION; | ||
| 98 | + category = 0x00; | ||
| 99 | + goto failed_stream; | ||
| 100 | + } | ||
| 101 | + | ||
| 102 | /* Verify that the Media Transport capability's length = 0. Reject otherwise */ | ||
| 103 | for (l = stream->caps; l != NULL; l = g_slist_next(l)) { | ||
| 104 | struct avdtp_service_capability *cap = l->data; | ||
| 105 | diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c | ||
| 106 | index d9471c0..0233d53 100644 | ||
| 107 | --- a/profiles/audio/avrcp.c | ||
| 108 | +++ b/profiles/audio/avrcp.c | ||
| 109 | @@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, | ||
| 110 | goto err_metadata; | ||
| 111 | } | ||
| 112 | |||
| 113 | + operands += sizeof(*pdu); | ||
| 114 | + operand_count -= sizeof(*pdu); | ||
| 115 | + | ||
| 116 | + if (pdu->params_len != operand_count) { | ||
| 117 | + DBG("AVRCP PDU parameters length don't match"); | ||
| 118 | + pdu->params_len = operand_count; | ||
| 119 | + } | ||
| 120 | + | ||
| 121 | for (handler = session->control_handlers; handler->pdu_id; handler++) { | ||
| 122 | if (handler->pdu_id == pdu->pdu_id) | ||
| 123 | break; | ||
| 124 | -- | ||
| 125 | 2.25.1 | ||
| 126 | |||