diff --git a/backport-CVE-2020-27153.patch b/backport-CVE-2020-27153.patch new file mode 100644 index 0000000000000000000000000000000000000000..c319d2686cce353378dee09b8e3e5f14333701df --- /dev/null +++ b/backport-CVE-2020-27153.patch @@ -0,0 +1,145 @@ +From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 15 Jul 2020 18:25:37 -0700 +Subject: [PATCH] shared/att: Fix possible crash on disconnect + +If there are pending request while disconnecting they would be notified +but clients may endup being freed in the proccess which will then be +calling bt_att_cancel to cancal its requests causing the following +trace: + +Invalid read of size 4 + at 0x1D894C: enable_ccc_callback (gatt-client.c:1627) + by 0x1D247B: disc_att_send_op (att.c:417) + by 0x1CCC17: queue_remove_all (queue.c:354) + by 0x1D47B7: disconnect_cb (att.c:635) + by 0x1E0707: watch_callback (io-glib.c:170) + by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4) + by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4) + by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4) + by 0x1E0E97: mainloop_run (mainloop-glib.c:79) + by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201) + by 0x12BC3B: main (main.c:770) + Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd + at 0x484A2E0: free (vg_replace_malloc.c:540) + by 0x1CCC17: queue_remove_all (queue.c:354) + by 0x1CCC83: queue_destroy (queue.c:73) + by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209) + by 0x16497B: batt_free (battery.c:77) + by 0x16497B: batt_remove (battery.c:286) + by 0x1A0013: service_remove (service.c:176) + by 0x1A9B7B: device_remove_gatt_service (device.c:3691) + by 0x1A9B7B: gatt_service_removed (device.c:3805) + by 0x1CC90B: queue_foreach (queue.c:220) + by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369) + by 0x1DE387: notify_service_changed (gatt-db.c:361) + by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385) + by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519) + by 0x1D674F: discovery_op_complete (gatt-client.c:388) + by 0x1D6877: discover_primary_cb (gatt-client.c:1260) + by 0x1E220B: discovery_op_complete (gatt-helpers.c:628) + by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730) + by 0x1D247B: disc_att_send_op (att.c:417) + by 0x1CCC17: queue_remove_all (queue.c:354) + by 0x1D47B7: disconnect_cb (att.c:635) + +--- + src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 40 insertions(+), 6 deletions(-) + +diff --git a/src/shared/att.c b/src/shared/att.c +index 948a554..8c3df91 100644 +--- a/src/shared/att.c ++++ b/src/shared/att.c +@@ -84,6 +84,7 @@ struct bt_att { + struct queue *req_queue; /* Queued ATT protocol requests */ + struct queue *ind_queue; /* Queued ATT protocol indications */ + struct queue *write_queue; /* Queue of PDUs ready to send */ ++ bool in_disc; /* Cleanup queues on disconnect_cb */ + + bt_att_timeout_func_t timeout_callback; + bt_att_destroy_func_t timeout_destroy; +@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data) + free(op); + } + +-static void cancel_att_send_op(struct att_send_op *op) ++static void cancel_att_send_op(void *data) + { ++ struct att_send_op *op = data; ++ + if (op->destroy) + op->destroy(op->user_data); + +@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io *io, void *user_data) + /* Dettach channel */ + queue_remove(att->chans, chan); + +- /* Notify request callbacks */ +- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); +- + if (chan->pending_req) { + disc_att_send_op(chan->pending_req); + chan->pending_req = NULL; +@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io *io, void *user_data) + + bt_att_ref(att); + ++ att->in_disc = true; ++ ++ /* Notify request callbacks */ ++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); ++ ++ att->in_disc = false; ++ + queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err)); + + bt_att_unregister_all(att); +@@ -1575,6 +1582,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id) + return true; + } + ++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id) ++{ ++ struct att_send_op *op; ++ ++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id)); ++ ++done: ++ if (!op) ++ return false; ++ ++ /* Just cancel since disconnect_cb will be cleaning up */ ++ cancel_att_send_op(op); ++ ++ return true; ++} ++ + bool bt_att_cancel(struct bt_att *att, unsigned int id) + { + const struct queue_entry *entry; +@@ -1592,6 +1623,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id) + return true; + } + ++ if (att->in_disc) ++ return bt_att_disc_cancel(att, id); ++ + op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id)); + if (op) + goto done; +-- +2.27.0 + diff --git a/bluez.spec b/bluez.spec index 8df9c7fc5397070e5359242fa0f689e8f24071ec..3604b08ce3714c9497923fbfd4b54bcc07999620 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.54 -Release: 3 +Release: 4 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -20,6 +20,7 @@ Patch0006: backport-CVE-2021-3588.patch # workaround for broken tests (reported upstream but not yet fixed) # upstream:https://github.com/bluez/bluez/commit/5fc60b2ce7c4370ff8d9bc3d3c3434b212465f40 Patch0007: backport-bluez-disable-test-mesh-crypto.patch +Patch6000: backport-CVE-2020-27153.patch BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: git-core glib2-devel libical-devel readline-devel @@ -176,6 +177,12 @@ make check %{_mandir}/man8/* %changelog +* Tue Aug 10 2021 zhanzhimin - 5.54-4 +- Type:CVE +- ID:CVE-2020-27153 +- SUG:NA +- DESC:fix CVE-2020-27153 + * Mon Jun 28 2021 hanhui - 5.54-3 - DESC:disable test-mesh-crypto