From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by mx.groups.io with SMTP id smtpd.web12.12839.1604675587962103212 for ; Fri, 06 Nov 2020 07:13:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20150623.gappssmtp.com header.s=20150623 header.b=B/oD2zMv; spf=softfail (domain: sakoman.com, ip: 209.85.208.66, mailfrom: steve@sakoman.com) Received: by mail-ed1-f66.google.com with SMTP id j20so1609441edt.8 for ; Fri, 06 Nov 2020 07:13:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wqXLI72HSS5bzTf4QUzPO/iY2AXGDzocN8CKURj8tRc=; b=B/oD2zMvgacayVSj0KKLeQSv3VVqo658LcZiwWe8mMrWHJghqnZfx8n18kfgsO508u HJM+NMrDcphMcKrvZ1vdzN6QH83wkLRsOeCc7/3l9SIMMZfLz1BZFVi0G1ez1/VKSx24 xbuHT5ln4s6eMtToectzqtkAM8lGpHPN0AbYPPG793a2jLkA+Lf6ISU1VpTAIh66A1di 49UbU7dAm8aZp3bopI++VgRp/5FJSqC4lolpE0wndnHEInjiFhQhdnDHsVqh4n/brWWs gTn/LnYbvegTMULve0TXPmWlUR/Jr+XuawxaPQFk0kf7Ky+Rp1x7UnbASTmd73IHKAs4 FvpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wqXLI72HSS5bzTf4QUzPO/iY2AXGDzocN8CKURj8tRc=; b=rcjWK5HBhFZe9j4BK9+efmyjH6V4yx+JIWI1o+l5wsitSDG77YVaMHWuKHMcbDZ/N5 z1RAvp4IXZQ5I0R3oPoTNNZANVaszt7RU+b6Am9UbxN9hBxtpJpjOh4mVQYuKK6ZFPEx k3u8Z/zLv8RcAHjMsyC7hGBbeOhwN+x8zMqRpTxNNDueECvPf/udTDYTEQfQRZ/Umcv0 OAMmN+jS++ugxZ90go7Glo6AvK+Rh35CD4qY9RX5Jl5vQ0qxiA8Qay/g2w4+Z/7CdHz3 HXyQifF4epyH023lamWeSzEmSf0cSWE3cz93wofU4gapf/DE8Nc47dqkA8kflnoFgW25 0uQg== X-Gm-Message-State: AOAM531X8GImb5iKBVQVtYvFRgkwEHLIwdFya+DQnqq4nGMzTJVI5ZRo 8yxzoHOpgc3CfPV1IvcC1cqyqkgBQBihQVf5hXVB8Q== X-Google-Smtp-Source: ABdhPJw8T21X0DFoodoQOmRXey5dfBRWm0qNjdo/hKVjq/rSchC0VbCPMELDqY1kdOER1hUMN2L5cWKouPyflFMoasY= X-Received: by 2002:a50:951e:: with SMTP id u30mr2547448eda.197.1604675586290; Fri, 06 Nov 2020 07:13:06 -0800 (PST) MIME-Version: 1.0 References: <4b50d20e15bb0fb9ff83730931ee35cf772f93d7.1604643684.git.anuj.mittal@intel.com> In-Reply-To: <4b50d20e15bb0fb9ff83730931ee35cf772f93d7.1604643684.git.anuj.mittal@intel.com> From: "Steve Sakoman" Date: Fri, 6 Nov 2020 05:12:55 -1000 Message-ID: Subject: Re: [OE-core] [gatesgarth][PATCH 13/22] bluez5: fix CVE-2020-27153 To: Anuj Mittal Cc: Patches and discussions about the oe-core layer Content-Type: text/plain; charset="UTF-8" This morning I also submitted a patch to fix CVE-2020-27153 in dunfell (bluez5: update to 5.55 to fix CVE-2020-27153): https://lists.openembedded.org/g/openembedded-core/message/144343 5.55 seems to be a security/bug fix release so it seemed appropriate: https://github.com/bluez/bluez/commit/5a180f2ec9edfacafd95e5fed20d36fe8e077f07 We should do the same fix in dunfell/gatesgarth, so I'd love to get some feedback from the community on the preferred approach. Steve On Thu, Nov 5, 2020 at 8:28 PM Anuj Mittal wrote: > > From: Chee Yang Lee > > (From OE-Core rev: 4b0688bb8abb2fb8a620541207d40e90e4bf16f9) > > Signed-off-by: Chee Yang Lee > Signed-off-by: Richard Purdie > --- > .../bluez5/bluez5/CVE-2020-27153.patch | 146 ++++++++++++++++++ > .../bluez5/bluez5_5.54.bb | 2 + > 2 files changed, 148 insertions(+) > create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch > > diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch > new file mode 100644 > index 0000000000..7b06dd2071 > --- /dev/null > +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-27153.patch > @@ -0,0 +1,146 @@ > +From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001 > +From: Luiz Augusto von Dentz > +Date: Wed, 15 Jul 2020 18:25:37 -0700 > +Subject: [PATCH] shared/att: Fix possible crash on disconnect > + > +If there are pending request while disconnecting they would be notified > +but clients may endup being freed in the proccess which will then be > +calling bt_att_cancel to cancal its requests causing the following > +trace: > + > +Invalid read of size 4 > + at 0x1D894C: enable_ccc_callback (gatt-client.c:1627) > + by 0x1D247B: disc_att_send_op (att.c:417) > + by 0x1CCC17: queue_remove_all (queue.c:354) > + by 0x1D47B7: disconnect_cb (att.c:635) > + by 0x1E0707: watch_callback (io-glib.c:170) > + by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4) > + by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4) > + by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4) > + by 0x1E0E97: mainloop_run (mainloop-glib.c:79) > + by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201) > + by 0x12BC3B: main (main.c:770) > + Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd > + at 0x484A2E0: free (vg_replace_malloc.c:540) > + by 0x1CCC17: queue_remove_all (queue.c:354) > + by 0x1CCC83: queue_destroy (queue.c:73) > + by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209) > + by 0x16497B: batt_free (battery.c:77) > + by 0x16497B: batt_remove (battery.c:286) > + by 0x1A0013: service_remove (service.c:176) > + by 0x1A9B7B: device_remove_gatt_service (device.c:3691) > + by 0x1A9B7B: gatt_service_removed (device.c:3805) > + by 0x1CC90B: queue_foreach (queue.c:220) > + by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369) > + by 0x1DE387: notify_service_changed (gatt-db.c:361) > + by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385) > + by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519) > + by 0x1D674F: discovery_op_complete (gatt-client.c:388) > + by 0x1D6877: discover_primary_cb (gatt-client.c:1260) > + by 0x1E220B: discovery_op_complete (gatt-helpers.c:628) > + by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730) > + by 0x1D247B: disc_att_send_op (att.c:417) > + by 0x1CCC17: queue_remove_all (queue.c:354) > + by 0x1D47B7: disconnect_cb (att.c:635) > + > +Upstream-Status: Backport > +[https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a] > +CVE: CVE-2020-27153 > +Signed-off-by: Chee Yang Lee > +--- > + src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------ > + 1 file changed, 40 insertions(+), 6 deletions(-) > + > +diff --git a/src/shared/att.c b/src/shared/att.c > +index ed3af2920..58f23dfcb 100644 > +--- a/src/shared/att.c > ++++ b/src/shared/att.c > +@@ -84,6 +84,7 @@ struct bt_att { > + struct queue *req_queue; /* Queued ATT protocol requests */ > + struct queue *ind_queue; /* Queued ATT protocol indications */ > + struct queue *write_queue; /* Queue of PDUs ready to send */ > ++ bool in_disc; /* Cleanup queues on disconnect_cb */ > + > + bt_att_timeout_func_t timeout_callback; > + bt_att_destroy_func_t timeout_destroy; > +@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data) > + free(op); > + } > + > +-static void cancel_att_send_op(struct att_send_op *op) > ++static void cancel_att_send_op(void *data) > + { > ++ struct att_send_op *op = data; > ++ > + if (op->destroy) > + op->destroy(op->user_data); > + > +@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io *io, void *user_data) > + /* Dettach channel */ > + queue_remove(att->chans, chan); > + > +- /* Notify request callbacks */ > +- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); > +- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); > +- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); > +- > + if (chan->pending_req) { > + disc_att_send_op(chan->pending_req); > + chan->pending_req = NULL; > +@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io *io, void *user_data) > + > + bt_att_ref(att); > + > ++ att->in_disc = true; > ++ > ++ /* Notify request callbacks */ > ++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); > ++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); > ++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); > ++ > ++ att->in_disc = false; > ++ > + queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err)); > + > + bt_att_unregister_all(att); > +@@ -1574,6 +1581,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id) > + return true; > + } > + > ++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id) > ++{ > ++ struct att_send_op *op; > ++ > ++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id)); > ++ if (op) > ++ goto done; > ++ > ++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id)); > ++ if (op) > ++ goto done; > ++ > ++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id)); > ++ > ++done: > ++ if (!op) > ++ return false; > ++ > ++ /* Just cancel since disconnect_cb will be cleaning up */ > ++ cancel_att_send_op(op); > ++ > ++ return true; > ++} > ++ > + bool bt_att_cancel(struct bt_att *att, unsigned int id) > + { > + const struct queue_entry *entry; > +@@ -1591,6 +1622,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id) > + return true; > + } > + > ++ if (att->in_disc) > ++ return bt_att_disc_cancel(att, id); > ++ > + op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id)); > + if (op) > + goto done; > diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb > index 260eee1402..9a21f14fae 100644 > --- a/meta/recipes-connectivity/bluez5/bluez5_5.54.bb > +++ b/meta/recipes-connectivity/bluez5/bluez5_5.54.bb > @@ -1,5 +1,7 @@ > require bluez5.inc > > +SRC_URI += " file://CVE-2020-27153.patch" > + > SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c" > SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc" > > -- > 2.28.0 > > > >