From: Ralph Siemsen <ralph.siemsen@linaro.org>
To: openembedded-core@lists.openembedded.org
Subject: [dunfell][PATCH v2] bluez5: fix CVE-2022-0204
Date: Thu, 31 Mar 2022 21:13:33 -0400 [thread overview]
Message-ID: <20220401011333.1770802-1-ralph.siemsen@linaro.org> (raw)
In-Reply-To: <20220331193819.1623580-1-ralph.siemsen@linaro.org>
Fix heap overflow when appending prepare writes
The code shall check if the prepare writes would append more the
allowed maximum attribute length.
Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
CVE: CVE-2022-0204
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
v2: fix accidental patch damage
Status on other branches:
- master/kirkstone 5.64 includes the fix
- honister 5.61 needs patch
- hardknott 5.56 needs patch
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2022-0204.patch | 66 +++++++++++++++++++
2 files changed, 67 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 7cf061dcf6..4d4348898a 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -55,6 +55,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://CVE-2021-0129.patch \
file://CVE-2021-3588.patch \
file://CVE-2021-3658.patch \
+ file://CVE-2022-0204.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
+From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+CVE: CVE-2022-0204
+
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0c25a97..20e14bc 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+ server->authorize_data);
+ }
+
++static uint8_t check_length(uint16_t length, uint16_t offset)
++{
++ if (length > BT_ATT_MAX_VALUE_LEN)
++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++ if (offset > BT_ATT_MAX_VALUE_LEN)
++ return BT_ATT_ERROR_INVALID_OFFSET;
++
++ if (length + offset > BT_ATT_MAX_VALUE_LEN)
++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++ return 0;
++}
++
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ uint16_t length, void *user_data)
+ {
+@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ handle);
+
++ ecode = check_length(length, 0);
++ if (ecode)
++ goto error;
++
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
+@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ util_debug(server->debug_callback, server->debug_data,
+ "Prep Write Req - handle: 0x%04x", handle);
+
++ ecode = check_length(length, offset);
++ if (ecode)
++ goto error;
++
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
--
2.25.1
prev parent reply other threads:[~2022-04-01 1:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-31 19:38 [dunfell][PATCH] bluez5: fix CVE-2022-0204 Ralph Siemsen
2022-03-31 20:25 ` [OE-core] " Khem Raj
2022-03-31 20:31 ` Ralph Siemsen
2022-03-31 20:57 ` Steve Sakoman
2022-04-01 1:13 ` Ralph Siemsen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401011333.1770802-1-ralph.siemsen@linaro.org \
--to=ralph.siemsen@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.