mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-18 03:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

bluez: fix CVE-2021-3588

Browse Source 
The cli_feat_read_cb() function in src/gatt-database.c does not perform
bounds checks on the 'offset' variable before using it as an index into
an array for reading

https://nvd.nist.gov/vuln/detail/CVE-2021-3588

(From OE-Core rev: 569362f338736a1c85f090909a9893d019bfce5d)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Steve Sakoman
2021-07-14 05:30:20 -10:00
committed by Richard Purdie
parent 12725e44c1
commit 7dbdfcf51b
2 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
meta/recipes-connectivity/bluez5/bluez5.inc
View File

@@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
file://CVE-2021-3588.patch \
"
S = "${WORKDIR}/bluez-${PV}"

34
meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch Normal file
View File

@@ -0,0 +1,34 @@
From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 4 Jan 2021 10:38:31 -0800
Subject: [PATCH] gatt: Fix potential buffer out-of-bound
When client features is read check if the offset is within the cli_feat
bounds.
Fixes: https://github.com/bluez/bluez/issues/70
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+CVE: CVE-2021-3588
---
src/gatt-database.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/gatt-database.c b/src/gatt-database.c
index 90cc4bade..f2d7b5821 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
goto done;
}
+ if (offset >= sizeof(state->cli_feat)) {
+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
+ goto done;
+ }
+
len = sizeof(state->cli_feat) - offset;
value = len ? &state->cli_feat[offset] : NULL;