Re: [OE-core][hardknott][PATCH] bluez5: fix CVE-2021-3658

* Re: [OE-core][hardknott][PATCH] bluez5: fix CVE-2021-3658
       [not found] <16A0C74572815139.29772@lists.openembedded.org>
@ 2021-09-08 14:43 ` Trevor Gamblin
  2021-09-09  1:14   ` Anuj Mittal
  0 siblings, 1 reply; 3+ messages in thread
From: Trevor Gamblin @ 2021-09-08 14:43 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 5273 bytes --]


On 2021-09-01 2:45 p.m., Trevor Gamblin wrote:
> Backporting upstream fix since the uprev from 5.60 -> 5.61 does include
> some minor functionality changes.
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Ping. Just wanna make sure this is picked up.
> ---
>   meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
>   ...ter-Fix-storing-discoverable-setting.patch | 100 ++++++++++++++++++
>   2 files changed, 101 insertions(+)
>   create mode 100644 meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch
>
> diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
> index a7b628ce1b..0d30b1a3f5 100644
> --- a/meta/recipes-connectivity/bluez5/bluez5.inc
> +++ b/meta/recipes-connectivity/bluez5/bluez5.inc
> @@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
>              ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
>              file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
>              file://0001-test-gatt-Fix-hung-issue.patch \
> +           file://0001-adapter-Fix-storing-discoverable-setting.patch \
>              "
>   S = "${WORKDIR}/bluez-${PV}"
>   
> diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch
> new file mode 100644
> index 0000000000..c2a5edd226
> --- /dev/null
> +++ b/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch
> @@ -0,0 +1,100 @@
> +From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
> +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> +Date: Thu, 24 Jun 2021 16:32:04 -0700
> +Subject: [PATCH] adapter: Fix storing discoverable setting
> +
> +discoverable setting shall only be store when changed via Discoverable
> +property and not when discovery client set it as that be considered
> +temporary just for the lifetime of the discovery.
> +
> +Upstream-Status: Backport
> +(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055)
> +
> +CVE: CVE-2021-3658
> +
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +
> +---
> + src/adapter.c | 35 ++++++++++++++++++++++-------------
> + 1 file changed, 22 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/adapter.c b/src/adapter.c
> +index 12e4ff5c0..663b778e4 100644
> +--- a/src/adapter.c
> ++++ b/src/adapter.c
> +@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
> + 	if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
> + 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
> + 					ADAPTER_INTERFACE, "Discoverable");
> +-		store_adapter_info(adapter);
> ++		/* Only persist discoverable setting if it was not set
> ++		 * temporarily by discovery.
> ++		 */
> ++		if (!adapter->discovery_discoverable)
> ++			store_adapter_info(adapter);
> + 		btd_adv_manager_refresh(adapter->adv_manager);
> + 	}
> +
> +@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
> + static int update_discovery_filter(struct btd_adapter *adapter)
> + {
> + 	struct mgmt_cp_start_service_discovery *sd_cp;
> +-	GSList *l;
> +-
> +
> + 	DBG("");
> +
> +@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
> + 		return -ENOMEM;
> + 	}
> +
> +-	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
> +-		struct discovery_client *client = l->data;
> ++	/* Only attempt to overwrite current discoverable setting when not
> ++	 * discoverable.
> ++	 */
> ++	if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
> ++		GSList *l;
> +
> +-		if (!client->discovery_filter)
> +-			continue;
> ++		for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
> ++			struct discovery_client *client = l->data;
> +
> +-		if (client->discovery_filter->discoverable)
> +-			break;
> +-	}
> ++			if (!client->discovery_filter)
> ++				continue;
> +
> +-	set_discovery_discoverable(adapter, l ? true : false);
> ++			if (client->discovery_filter->discoverable) {
> ++				set_discovery_discoverable(adapter, true);
> ++				break;
> ++			}
> ++		}
> ++	}
> +
> + 	/*
> + 	 * If filters are equal, then don't update scan, except for when
> +@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
> + 		return 0;
> + 	}
> +
> +-	if (adapter->discovery_discoverable)
> +-		set_discovery_discoverable(adapter, false);
> ++	set_discovery_discoverable(adapter, false);
> +
> + 	/*
> + 	 * In the idle phase of a discovery, there is no need to stop it
> +@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
> + 	g_free(adapter->current_discovery_filter);
> + 	adapter->current_discovery_filter = NULL;
> +
> ++	set_discovery_discoverable(adapter, false);
> + 	adapter->discovering = false;
> +
> + 	while (adapter->connections) {
> +--
> +2.33.0
> +
>
> 
>

[-- Attachment #2: Type: text/html, Size: 6585 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread