aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrevor Gamblin <trevor.gamblin@windriver.com>2021-09-08 16:08:33 -0400
committerAnuj Mittal <anuj.mittal@intel.com>2021-09-15 10:09:06 +0800
commitbe18e566413efef12dc2488ab186f397d1dacda9 (patch)
tree0ecc6a6f7bae01bf4c0c9df5c43186cda6532886
parentcbb7b8cfbd4cfe6115e858e14f415d89d182f550 (diff)
downloadopenembedded-core-contrib-be18e566413efef12dc2488ab186f397d1dacda9.tar.gz
openembedded-core-contrib-be18e566413efef12dc2488ab186f397d1dacda9.tar.bz2
openembedded-core-contrib-be18e566413efef12dc2488ab186f397d1dacda9.zip
bluez5: fix CVE-2021-0129
Backport a fix from version 5.57 rather than doing an uprev, since there appear to be some minor functional changes between our current version and that version, despite the changelog only listing fixes. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5.inc1
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch113
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 0d30b1a3f5..22e0f33610 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -53,6 +53,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
file://0001-adapter-Fix-storing-discoverable-setting.patch \
+ file://0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
new file mode 100644
index 0000000000..422fd211ca
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
@@ -0,0 +1,113 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
+ flags
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Upstream-Status: Backport
+(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738)
+
+CVE: CVE-2021-0129
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/shared/att-types.h | 8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE 0x0200
+ #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
+ BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \
++ BT_ATT_PERM_READ_AUTHEN | \
++ BT_ATT_PERM_READ_ENCRYPT | \
++ BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \
++ BT_ATT_PERM_WRITE_AUTHEN | \
++ BT_ATT_PERM_WRITE_ENCRYPT | \
++ BT_ATT_PERM_WRITE_SECURE)
+
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST 0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+ return;
+ }
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+- BT_ATT_PERM_WRITE_AUTHEN |
+- BT_ATT_PERM_WRITE_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
+
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ goto error;
+ }
+
+- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(data->server, next_attr,
++ BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ goto error;
+ }
+
+- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ util_debug(server->debug_callback, server->debug_data,
+ "Prep Write Req - handle: 0x%04x", handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+- BT_ATT_PERM_WRITE_AUTHEN |
+- BT_ATT_PERM_WRITE_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
+
+--
+2.31.1
+