2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 0d30b1a3f5..22e0f33610 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -53,6 +53,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
           file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
           file://0001-test-gatt-Fix-hung-issue.patch \
           file://0001-adapter-Fix-storing-discoverable-setting.patch \
+           file://0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch \
           "
 S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
new file mode 100644
index 0000000000..422fd211ca
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
@@ -0,0 +1,113 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
+ flags
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+Upstream-Status: Backport
+(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738)
+CVE: CVE-2021-0129
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
+++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE       0x0200
+ #define BT_ATT_PERM_SECURE             (BT_ATT_PERM_READ_SECURE | \
+                                        BT_ATT_PERM_WRITE_SECURE)
+#define BT_ATT_PERM_READ_MASK          (BT_ATT_PERM_READ | \
+                                       BT_ATT_PERM_READ_AUTHEN | \
+                                       BT_ATT_PERM_READ_ENCRYPT | \
+                                       BT_ATT_PERM_READ_SECURE)
+#define BT_ATT_PERM_WRITE_MASK         (BT_ATT_PERM_WRITE | \
+                                       BT_ATT_PERM_WRITE_AUTHEN | \
+                                       BT_ATT_PERM_WRITE_ENCRYPT | \
+                                       BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST                    0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+                return;
+        }
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+                        opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+                        handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, next_attr,
+                                               BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
+       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
+       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+-- 
+2.31.1

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 0d30b1a3f5..22e0f33610 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -53,6 +53,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
53	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \	53	file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
54	file://0001-test-gatt-Fix-hung-issue.patch \	54	file://0001-test-gatt-Fix-hung-issue.patch \
55	file://0001-adapter-Fix-storing-discoverable-setting.patch \	55	file://0001-adapter-Fix-storing-discoverable-setting.patch \
		56	file://0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch \
56	"	57	"
57	S = "${WORKDIR}/bluez-${PV}"	58	S = "${WORKDIR}/bluez-${PV}"
58		59


diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch new file mode 100644 index 0000000000..422fd211ca --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
@@ -0,0 +1,113 @@
		1	From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
		2	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
		3	Date: Tue, 2 Mar 2021 11:38:33 -0800
		4	Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
		5	flags
		6
		7	When passing the mask to check_permissions all valid permissions for
		8	the operation must be set including BT_ATT_PERM_SECURE flags.
		9
		10	Upstream-Status: Backport
		11	(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738)
		12
		13	CVE: CVE-2021-0129
		14
		15	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		16	---
		17	src/shared/att-types.h \| 8 ++++++++
		18	src/shared/gatt-server.c \| 25 +++++++------------------
		19	2 files changed, 15 insertions(+), 18 deletions(-)
		20
		21	diff --git a/src/shared/att-types.h b/src/shared/att-types.h
		22	index 7108b4e94..3adc05d9e 100644
		23	--- a/src/shared/att-types.h
		24	+++ b/src/shared/att-types.h
		25	@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
		26	#define BT_ATT_PERM_WRITE_SECURE 0x0200
		27	#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE \| \
		28	BT_ATT_PERM_WRITE_SECURE)
		29	+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ \| \
		30	+ BT_ATT_PERM_READ_AUTHEN \| \
		31	+ BT_ATT_PERM_READ_ENCRYPT \| \
		32	+ BT_ATT_PERM_READ_SECURE)
		33	+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE \| \
		34	+ BT_ATT_PERM_WRITE_AUTHEN \| \
		35	+ BT_ATT_PERM_WRITE_ENCRYPT \| \
		36	+ BT_ATT_PERM_WRITE_SECURE)
		37
		38	/* GATT Characteristic Properties Bitfield values */
		39	#define BT_GATT_CHRC_PROP_BROADCAST 0x01
		40	diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
		41	index b5f7de7dc..970c35f94 100644
		42	--- a/src/shared/gatt-server.c
		43	+++ b/src/shared/gatt-server.c
		44	@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
		45	return;
		46	}
		47
		48	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
		49	- BT_ATT_PERM_READ_AUTHEN \|
		50	- BT_ATT_PERM_READ_ENCRYPT);
		51	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
		52	if (ecode)
		53	goto error;
		54
		55	@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan chan, uint8_t opcode, const void pdu,
		56	(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
		57	handle);
		58
		59	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
		60	- BT_ATT_PERM_WRITE_AUTHEN \|
		61	- BT_ATT_PERM_WRITE_ENCRYPT);
		62	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
		63	if (ecode)
		64	goto error;
		65
		66	@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
		67	opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
		68	handle);
		69
		70	- ecode = check_permissions(server, attr, BT_ATT_PERM_READ \|
		71	- BT_ATT_PERM_READ_AUTHEN \|
		72	- BT_ATT_PERM_READ_ENCRYPT);
		73	+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
		74	if (ecode)
		75	goto error;
		76
		77	@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
		78	goto error;
		79	}
		80
		81	- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ \|
		82	- BT_ATT_PERM_READ_AUTHEN \|
		83	- BT_ATT_PERM_READ_ENCRYPT);
		84	+ ecode = check_permissions(data->server, next_attr,
		85	+ BT_ATT_PERM_READ_MASK);
		86	if (ecode)
		87	goto error;
		88
		89	@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
		90	goto error;
		91	}
		92
		93	- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ \|
		94	- BT_ATT_PERM_READ_AUTHEN \|
		95	- BT_ATT_PERM_READ_ENCRYPT);
		96	+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
		97	if (ecode)
		98	goto error;
		99
		100	@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
		101	util_debug(server->debug_callback, server->debug_data,
		102	"Prep Write Req - handle: 0x%04x", handle);
		103
		104	- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE \|
		105	- BT_ATT_PERM_WRITE_AUTHEN \|
		106	- BT_ATT_PERM_WRITE_ENCRYPT);
		107	+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
		108	if (ecode)
		109	goto error;
		110
		111	--
		112	2.31.1
		113