mirror of
https://git.yoctoproject.org/poky
synced 2026-02-20 08:29:42 +01:00
bluez5: fix CVE-2022-0204
Fix heap overflow when appending prepare writes
The code shall check if the prepare writes would append more the
allowed maximum attribute length.
Upstream-Status: Backport [591c546c53]
CVE: CVE-2022-0204
(From OE-Core rev: 058dec11cc6580212c6d4560d0f0e5b704d501dc)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ralph Siemsen
committed by
Richard Purdie
Richard Purdie
parent
048094bcf9
commit
64205bf3ec
@@ -55,6 +55,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
|
||||
file://CVE-2021-0129.patch \
|
||||
file://CVE-2021-3588.patch \
|
||||
file://CVE-2021-3658.patch \
|
||||
file://CVE-2022-0204.patch \
|
||||
"
|
||||
S = "${WORKDIR}/bluez-${PV}"
|
||||
|
||||
|
||||
66
meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
Normal file
66
meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
Normal file
@@ -0,0 +1,66 @@
|
||||
From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
|
||||
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Tue, 8 Jun 2021 16:46:49 -0700
|
||||
Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
|
||||
writes
|
||||
|
||||
The code shall check if the prepare writes would append more the
|
||||
allowed maximum attribute length.
|
||||
|
||||
Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
|
||||
|
||||
Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
|
||||
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
|
||||
CVE: CVE-2022-0204
|
||||
|
||||
---
|
||||
src/shared/gatt-server.c | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
|
||||
index 0c25a97..20e14bc 100644
|
||||
--- a/src/shared/gatt-server.c
|
||||
+++ b/src/shared/gatt-server.c
|
||||
@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
|
||||
server->authorize_data);
|
||||
}
|
||||
|
||||
+static uint8_t check_length(uint16_t length, uint16_t offset)
|
||||
+{
|
||||
+ if (length > BT_ATT_MAX_VALUE_LEN)
|
||||
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
|
||||
+
|
||||
+ if (offset > BT_ATT_MAX_VALUE_LEN)
|
||||
+ return BT_ATT_ERROR_INVALID_OFFSET;
|
||||
+
|
||||
+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
|
||||
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
|
||||
uint16_t length, void *user_data)
|
||||
{
|
||||
@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
|
||||
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
|
||||
handle);
|
||||
|
||||
+ ecode = check_length(length, 0);
|
||||
+ if (ecode)
|
||||
+ goto error;
|
||||
+
|
||||
ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
|
||||
util_debug(server->debug_callback, server->debug_data,
|
||||
"Prep Write Req - handle: 0x%04x", handle);
|
||||
|
||||
+ ecode = check_length(length, offset);
|
||||
+ if (ecode)
|
||||
+ goto error;
|
||||
+
|
||||
ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
|
||||
if (ecode)
|
||||
goto error;
|
||||
Reference in New Issue
Block a user