diff --git a/backport-0001-CVE-2021-0129.patch b/backport-0001-CVE-2021-0129.patch new file mode 100644 index 0000000000000000000000000000000000000000..83a306b31b0e5bdc7b3f1db7484b95facc46bd1e --- /dev/null +++ b/backport-0001-CVE-2021-0129.patch @@ -0,0 +1,71 @@ +From d676c4ddcb569234c6ce499732bb5fbe76ba14ac Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Tue, 31 Mar 2020 12:45:32 +0200 +Subject: [PATCH] shared/gatt: Fix NULL pointer dereference + +bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23 + +Program received signal SIGSEGV, Segmentation fault. +write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 +793 util_debug(server->debug_callback, server->debug_data, +(gdb) bt + #0 write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793 + #1 0x00005555556a5852 in pending_write_result (p=0x555555866030, err=) at src/shared/gatt-db.c:162 + #2 0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879 + #3 0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34 + #4 0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 , user_data=0x555555864b20) at ../glib/gmain.c:4705 + #5 0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216 + #6 g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881 + #7 0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=) at ../glib/gmain.c:3954 + #8 0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148 + #9 0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79 + #10 0x00005555556aa36a in mainloop_run_with_signal (func=, user_data=0x0) at src/shared/mainloop-notify.c:201 + #11 0x00005555555bb9e3 in main (argc=, argv=) at src/main.c:770 + +Conflict:NA +Reference:https://github.com/bluez/bluez/commit/d676c4ddcb569234c6ce499732bb5fbe76ba14ac +--- + src/shared/gatt-server.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index 7e5d652e42..4e07398d21 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -790,14 +790,14 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err, + struct bt_gatt_server *server = op->server; + uint16_t handle; + +- util_debug(server->debug_callback, server->debug_data, +- "Write Complete: err %d", err); +- + if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) { + async_write_op_destroy(op); + return; + } + ++ util_debug(server->debug_callback, server->debug_data, ++ "Write Complete: err %d", err); ++ + handle = gatt_db_attribute_get_handle(attr); + + if (err) +@@ -914,14 +914,14 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, + uint16_t mtu; + uint16_t handle; + +- util_debug(server->debug_callback, server->debug_data, +- "Read Complete: err %d", err); +- + if (!server) { + async_read_op_destroy(op); + return; + } + ++ util_debug(server->debug_callback, server->debug_data, ++ "Read Complete: err %d", err); ++ + mtu = bt_att_get_mtu(server->att); + handle = gatt_db_attribute_get_handle(attr); + + diff --git a/backport-0002-CVE-2021-0129.patch b/backport-0002-CVE-2021-0129.patch new file mode 100644 index 0000000000000000000000000000000000000000..59c1d75a79c21f00112e3700fd49b6b2f7ff0d7b --- /dev/null +++ b/backport-0002-CVE-2021-0129.patch @@ -0,0 +1,195 @@ +From ee49fb1d13617e7d38fbf8f979206b905aa25345 Mon Sep 17 00:00:00 2001 +From: Archie Pusaka +Date: Thu, 7 May 2020 14:38:46 +0800 +Subject: [PATCH] shared/gatt-server: Fix read multiple charc values + +According to bluetooth spec Ver 5.2, Vol 3, Part G, 4.8.4, An +ATT_ERROR_RSP PDU shall be sent by the server in response to the +ATT_READ_MULTIPLE_RSP PDU if insufficient authentication, +insufficient authorization, insufficient encryption key size, or +insufficient encryption is used by the client, or if a read operation +is not permitted on any of the Characteristic Values. + +Currently if the size of the response grows larger than the MTU size, +BlueZ does an early return and not check the permission for the rest +of the characteristics. This patch forces BlueZ to check for possible +errors even though we already reach MTU size. + +This patch also moves the read permission check for read multiple +characteristics so it is done before actually retrieving the +characteristics. + +Conflict:NA +Reference:https://github.com/bluez/bluez/commit/ee49fb1d13617e7d38fbf8f979206b905aa25345 +--- + src/shared/gatt-server.c | 88 ++++++++++++++++++++-------------------- + 1 file changed, 45 insertions(+), 43 deletions(-) + +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index 4e07398d21..28ac2d68de 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -1057,33 +1057,23 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, + uint16_t length; + + if (err != 0) { +- bt_att_chan_send_error_rsp(data->chan, data->opcode, handle, +- err); +- read_mult_data_free(data); +- return; +- } +- +- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); +- if (ecode) { +- bt_att_chan_send_error_rsp(data->chan, data->opcode, handle, +- ecode); +- read_mult_data_free(data); +- return; ++ ecode = err; ++ goto error; + } + + length = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ? +- MIN(len, data->mtu - data->length - 3) : ++ MIN(len, MAX(data->mtu - data->length, 3) - 3) : + MIN(len, data->mtu - data->length - 1); + + if (data->opcode == BT_ATT_OP_READ_MULT_VL_REQ) { + /* The Length Value Tuple List may be truncated within the first + * two octets of a tuple due to the size limits of the current +- * ATT_MTU. ++ * ATT_MTU, but the first two octets cannot be separated. + */ +- put_le16(len, data->rsp_data + data->length); +- data->length += 2; ++ if (data->mtu - data->length >= 3) { ++ put_le16(len, data->rsp_data + data->length); ++ data->length += 2; ++ } + } + + memcpy(data->rsp_data + data->length, value, length); +@@ -1091,45 +1081,46 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, + + data->cur_handle++; + +- len = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ? +- data->mtu - data->length - 3 : data->mtu - data->length - 1; +- +- if (!len || (data->cur_handle == data->num_handles)) { ++ if (data->cur_handle == data->num_handles) { + bt_att_chan_send_rsp(data->chan, data->opcode + 1, + data->rsp_data, data->length); + read_mult_data_free(data); + return; + } + ++ handle = data->handles[data->cur_handle]; ++ + util_debug(data->server->debug_callback, data->server->debug_data, + "%s Req - #%zu of %zu: 0x%04x", + data->opcode == BT_ATT_OP_READ_MULT_REQ ? + "Read Multiple" : + "Read Multiple Variable Length", + data->cur_handle + 1, data->num_handles, +- data->handles[data->cur_handle]); ++ handle); + +- next_attr = gatt_db_get_attribute(data->server->db, +- data->handles[data->cur_handle]); ++ next_attr = gatt_db_get_attribute(data->server->db, handle); + + if (!next_attr) { +- bt_att_chan_send_error_rsp(data->chan, +- BT_ATT_OP_READ_MULT_REQ, +- data->handles[data->cur_handle], +- BT_ATT_ERROR_INVALID_HANDLE); +- read_mult_data_free(data); +- return; ++ ecode = BT_ATT_ERROR_INVALID_HANDLE; ++ goto error; + } + +- if (!gatt_db_attribute_read(next_attr, 0, BT_ATT_OP_READ_MULT_REQ, ++ ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | ++ BT_ATT_PERM_READ_AUTHEN | ++ BT_ATT_PERM_READ_ENCRYPT); ++ if (ecode) ++ goto error; ++ ++ if (gatt_db_attribute_read(next_attr, 0, data->opcode, + data->server->att, +- read_multiple_complete_cb, data)) { +- bt_att_chan_send_error_rsp(data->chan, +- BT_ATT_OP_READ_MULT_REQ, +- data->handles[data->cur_handle], +- BT_ATT_ERROR_UNLIKELY); +- read_mult_data_free(data); +- } ++ read_multiple_complete_cb, data)) ++ return; ++ ++ ecode = BT_ATT_ERROR_UNLIKELY; ++ ++error: ++ bt_att_chan_send_error_rsp(data->chan, data->opcode, handle, ecode); ++ read_mult_data_free(data); + } + + static struct read_mult_data *read_mult_data_new(struct bt_gatt_server *server, +@@ -1161,8 +1152,9 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, + struct bt_gatt_server *server = user_data; + struct gatt_db_attribute *attr; + struct read_mult_data *data = NULL; +- uint8_t ecode = BT_ATT_ERROR_UNLIKELY; ++ uint8_t ecode; + size_t i = 0; ++ uint16_t handle = 0; + + if (length < 4) { + ecode = BT_ATT_ERROR_INVALID_PDU; +@@ -1176,28 +1168,38 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, + for (i = 0; i < data->num_handles; i++) + data->handles[i] = get_le16(pdu + i * 2); + ++ handle = data->handles[0]; ++ + util_debug(server->debug_callback, server->debug_data, + "%s Req - %zu handles, 1st: 0x%04x", + data->opcode == BT_ATT_OP_READ_MULT_REQ ? + "Read Multiple" : "Read Multiple Variable Length", +- data->num_handles, data->handles[0]); ++ data->num_handles, handle); + +- attr = gatt_db_get_attribute(server->db, data->handles[0]); ++ attr = gatt_db_get_attribute(server->db, handle); + + if (!attr) { + ecode = BT_ATT_ERROR_INVALID_HANDLE; + goto error; + } + ++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | ++ BT_ATT_PERM_READ_AUTHEN | ++ BT_ATT_PERM_READ_ENCRYPT); ++ if (ecode) ++ goto error; ++ + if (gatt_db_attribute_read(attr, 0, opcode, server->att, + read_multiple_complete_cb, data)) + return; + ++ ecode = BT_ATT_ERROR_UNLIKELY; ++ + error: + if (data) + read_mult_data_free(data); + +- bt_att_chan_send_error_rsp(chan, opcode, 0, ecode); ++ bt_att_chan_send_error_rsp(chan, opcode, handle, ecode); + } + + static bool append_prep_data(struct prep_write_data *prep_data, uint16_t handle, + diff --git a/backport-0003-CVE-2021-0129.patch b/backport-0003-CVE-2021-0129.patch new file mode 100644 index 0000000000000000000000000000000000000000..fe1d0153266c46d01a998c4201eaa88d56cc29db --- /dev/null +++ b/backport-0003-CVE-2021-0129.patch @@ -0,0 +1,159 @@ +From a23fa59b09bbda8a35596ebccb78d352b6f5561d Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 6 Jan 2021 15:22:41 -0800 +Subject: [PATCH] shared/gatt-server: Fix not accepting multiple requests + +With introduction of EATT it is possible to send multiple requests using +different channels therefore bt_gatt_server shall not attempt to check +if there is already an outstanding request. + +gh issue: https://github.com/bluez/bluez/issues/75 + +Conflict:NA +Reference:https://github.com/bluez/bluez/commit/a23fa59b09bbda8a35596ebccb78d352b6f5561d +--- + src/shared/gatt-server.c | 53 +++++----------------------------------- + 1 file changed, 6 insertions(+), 47 deletions(-) + +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index 0ce994be3e..b5f7de7dc3 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -108,9 +108,6 @@ struct bt_gatt_server { + struct queue *prep_queue; + unsigned int max_prep_queue_len; + +- struct async_read_op *pending_read_op; +- struct async_write_op *pending_write_op; +- + bt_gatt_server_debug_func_t debug_callback; + bt_gatt_server_destroy_func_t debug_destroy; + void *debug_data; +@@ -140,12 +137,6 @@ static void bt_gatt_server_free(struct bt_gatt_server *server) + bt_att_unregister(server->att, server->prep_write_id); + bt_att_unregister(server->att, server->exec_write_id); + +- if (server->pending_read_op) +- server->pending_read_op->server = NULL; +- +- if (server->pending_write_op) +- server->pending_write_op->server = NULL; +- + queue_destroy(server->prep_queue, prep_write_data_destroy); + + gatt_db_unref(server->db); +@@ -324,9 +315,7 @@ static void read_by_grp_type_cb(struct bt_att_chan *chan, uint8_t opcode, + + static void async_read_op_destroy(struct async_read_op *op) + { +- if (op->server) +- op->server->pending_read_op = NULL; +- ++ bt_gatt_server_unref(op->server); + queue_destroy(op->db_data, NULL); + free(op->pdu); + free(op); +@@ -343,11 +332,6 @@ static void read_by_type_read_complete_cb(struct gatt_db_attribute *attr, + uint16_t mtu; + uint16_t handle; + +- if (!server) { +- async_read_op_destroy(op); +- return; +- } +- + mtu = bt_att_get_mtu(server->att); + handle = gatt_db_attribute_get_handle(attr); + +@@ -524,11 +508,6 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode, + goto error; + } + +- if (server->pending_read_op) { +- ecode = BT_ATT_ERROR_UNLIKELY; +- goto error; +- } +- + op = new0(struct async_read_op, 1); + op->pdu = malloc(bt_att_get_mtu(server->att)); + if (!op->pdu) { +@@ -539,9 +518,8 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode, + + op->chan = chan; + op->opcode = opcode; +- op->server = server; ++ op->server = bt_gatt_server_ref(server); + op->db_data = q; +- server->pending_read_op = op; + + process_read_by_type(op); + +@@ -764,9 +742,7 @@ static void find_by_type_val_cb(struct bt_att_chan *chan, uint8_t opcode, + + static void async_write_op_destroy(struct async_write_op *op) + { +- if (op->server) +- op->server->pending_write_op = NULL; +- ++ bt_gatt_server_unref(op->server); + free(op); + } + +@@ -777,7 +753,7 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err, + struct bt_gatt_server *server = op->server; + uint16_t handle; + +- if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) { ++ if (op->opcode == BT_ATT_OP_WRITE_CMD) { + async_write_op_destroy(op); + return; + } +@@ -841,16 +817,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + if (ecode) + goto error; + +- if (server->pending_write_op) { +- ecode = BT_ATT_ERROR_UNLIKELY; +- goto error; +- } +- + op = new0(struct async_write_op, 1); + op->chan = chan; +- op->server = server; ++ op->server = bt_gatt_server_ref(server); + op->opcode = opcode; +- server->pending_write_op = op; + + if (gatt_db_attribute_write(attr, 0, pdu + 2, length - 2, opcode, + server->att, +@@ -901,11 +871,6 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, + uint16_t mtu; + uint16_t handle; + +- if (!server) { +- async_read_op_destroy(op); +- return; +- } +- + util_debug(server->debug_callback, server->debug_data, + "Read Complete: err %d", err); + +@@ -954,16 +919,10 @@ static void handle_read_req(struct bt_att_chan *chan, + if (ecode) + goto error; + +- if (server->pending_read_op) { +- ecode = BT_ATT_ERROR_UNLIKELY; +- goto error; +- } +- + op = new0(struct async_read_op, 1); + op->chan = chan; + op->opcode = opcode; +- op->server = server; +- server->pending_read_op = op; ++ op->server = bt_gatt_server_ref(server); + + if (gatt_db_attribute_read(attr, offset, opcode, server->att, + read_complete_cb, op)) + diff --git a/backport-CVE-2021-0129.patch b/backport-0004-CVE-2021-0129.patch similarity index 55% rename from backport-CVE-2021-0129.patch rename to backport-0004-CVE-2021-0129.patch index f17cb93cdddbdf247786fdd29beae9b83982f5ac..c00d39723ed7c3d5b941dd27bf271f3548c9c33c 100644 --- a/backport-CVE-2021-0129.patch +++ b/backport-0004-CVE-2021-0129.patch @@ -1,18 +1,24 @@ -From e15a27eee8d48871089d621ab43a21f2c855df1e Mon Sep 17 00:00:00 2001 -From: xingxing -Date: Tue, 1 Mar 2022 16:08:57 +0800 -Subject: [PATCH] CVE-2021-0129.patch +From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 2 Mar 2021 11:38:33 -0800 +Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure + flags +When passing the mask to check_permissions all valid permissions for +the operation must be set including BT_ATT_PERM_SECURE flags. + +Conflict:NA +Reference:https://github.com/bluez/bluez/commit/00da0fb4972cf59e1c075f313da81ea549cb8738 --- src/shared/att-types.h | 8 ++++++++ - src/shared/gatt-server.c | 16 ++++------------ - 2 files changed, 12 insertions(+), 12 deletions(-) + src/shared/gatt-server.c | 25 +++++++------------------ + 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/src/shared/att-types.h b/src/shared/att-types.h -index 99b1089..f468a98 100644 +index 7108b4e94a..3adc05d9e3 100644 --- a/src/shared/att-types.h +++ b/src/shared/att-types.h -@@ -142,6 +142,14 @@ struct bt_att_pdu_error_rsp { +@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { #define BT_ATT_PERM_WRITE_SECURE 0x0200 #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ BT_ATT_PERM_WRITE_SECURE) @@ -28,10 +34,10 @@ index 99b1089..f468a98 100644 /* GATT Characteristic Properties Bitfield values */ #define BT_GATT_CHRC_PROP_BROADCAST 0x01 diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c -index 7e5d652..a79a786 100644 +index b5f7de7dc3..970c35f94e 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c -@@ -473,9 +473,7 @@ static void process_read_by_type(struct async_read_op *op) +@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) return; } @@ -42,7 +48,7 @@ index 7e5d652..a79a786 100644 if (ecode) goto error; -@@ -848,9 +846,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, +@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", handle); @@ -53,7 +59,7 @@ index 7e5d652..a79a786 100644 if (ecode) goto error; -@@ -961,9 +957,7 @@ static void handle_read_req(struct bt_att_chan *chan, +@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", handle); @@ -64,7 +70,30 @@ index 7e5d652..a79a786 100644 if (ecode) goto error; -@@ -1360,9 +1354,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, +@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, + goto error; + } + +- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, next_attr, ++ BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, + goto error; + } + +- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | +- BT_ATT_PERM_READ_AUTHEN | +- BT_ATT_PERM_READ_ENCRYPT); ++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); + if (ecode) + goto error; + +@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, util_debug(server->debug_callback, server->debug_data, "Prep Write Req - handle: 0x%04x", handle); @@ -75,6 +104,4 @@ index 7e5d652..a79a786 100644 if (ecode) goto error; --- -2.27.0 diff --git a/backport-CVE-2022-0204.patch b/backport-CVE-2022-0204.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0c6d26d4e171f6b662b115eab0099bc56a0a285 --- /dev/null +++ b/backport-CVE-2022-0204.patch @@ -0,0 +1,61 @@ +From 591c546c536b42bef696d027f64aa22434f8c3f0 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 8 Jun 2021 16:46:49 -0700 +Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare + writes + +The code shall check if the prepare writes would append more the +allowed maximum attribute length. + +Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q +--- + src/shared/gatt-server.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c +index dc4e681c9c..9beec44bed 100644 +--- a/src/shared/gatt-server.c ++++ b/src/shared/gatt-server.c +@@ -779,6 +779,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, + server->authorize_data); + } + ++static uint8_t check_length(uint16_t length, uint16_t offset) ++{ ++ if (length > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; ++ ++ if (offset > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_OFFSET; ++ ++ if (length + offset > BT_ATT_MAX_VALUE_LEN) ++ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; ++ ++ return 0; ++} ++ + static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + uint16_t length, void *user_data) + { +@@ -809,6 +823,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, + (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", + handle); + ++ ecode = check_length(length, 0); ++ if (ecode) ++ goto error; ++ + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; +@@ -1299,6 +1317,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, + util_debug(server->debug_callback, server->debug_data, + "Prep Write Req - handle: 0x%04x", handle); + ++ ecode = check_length(length, offset); ++ if (ecode) ++ goto error; ++ + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); + if (ecode) + goto error; diff --git a/bluez.spec b/bluez.spec index ae77a4291450ec6c032ccef6711d9960eaa56640..1625a06cff6a6f026c13fcd626f3f586ba177f26 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.54 -Release: 12 +Release: 13 License: GPLv2+ URL: http://www.bluez.org/ Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz @@ -25,7 +25,11 @@ Patch6000: backport-CVE-2020-27153.patch Patch6001: backport-0001-CVE-2021-3658.patch Patch6002: backport-0002-CVE-2021-3658.patch Patch6003: backport-CVE-2021-43400.patch -Patch6004: backport-CVE-2021-0129.patch +Patch6004: backport-0001-CVE-2021-0129.patch +Patch6005: backport-0002-CVE-2021-0129.patch +Patch6006: backport-0003-CVE-2021-0129.patch +Patch6007: backport-0004-CVE-2021-0129.patch +Patch6008: backport-CVE-2022-0204.patch BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: glib2-devel libical-devel readline-devel @@ -182,6 +186,12 @@ make check %{_mandir}/man8/* %changelog +* Fri Mar 18 2022 xingxing - 5.54-13 +- Type:CVE +- CVE:CVE-2022-0204 +- SUG:NA +- DESC:fix CVE-2022-0204 and add prefix for CVE-2021-0129 + * Tue Mar 01 2022 xingxing - 5.54-12 - Type:CVE - CVE:CVE-2021-0129