!74 fix CVE-2022-39176,CVE-2022-39177
From: @kerongw Reviewed-by: @t_feng, @yanan-rock Signed-off-by: @t_feng, @yanan-rock
This commit is contained in:
openeuler-ci-bot
Gitee
commit
2f6c32b310
103
backport-0001-CVE-2022-39177.patch
Normal file
103
backport-0001-CVE-2022-39177.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From 7a80d2096f1b7125085e21448112aa02f49f5e9a Mon Sep 17 00:00:00 2001
|
||||
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Thu, 29 Apr 2021 17:10:50 -0700
|
||||
Subject: avdtp: Fix accepting invalid/malformed capabilities
|
||||
|
||||
Check if capabilities are valid before attempting to copy them.
|
||||
---
|
||||
profiles/audio/avdtp.c | 56 ++++++++++++++++++++++++++++++++------------------
|
||||
1 file changed, 36 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
|
||||
index 623fe30d3..c7bf99f42 100644
|
||||
--- a/profiles/audio/avdtp.c
|
||||
+++ b/profiles/audio/avdtp.c
|
||||
@@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static GSList *caps_to_list(uint8_t *data, int size,
|
||||
+static GSList *caps_to_list(uint8_t *data, size_t size,
|
||||
struct avdtp_service_capability **codec,
|
||||
gboolean *delay_reporting)
|
||||
{
|
||||
+ struct avdtp_service_capability *cap;
|
||||
GSList *caps;
|
||||
- int processed;
|
||||
|
||||
if (delay_reporting)
|
||||
*delay_reporting = FALSE;
|
||||
|
||||
- for (processed = 0, caps = NULL; processed + 2 <= size;) {
|
||||
- struct avdtp_service_capability *cap;
|
||||
- uint8_t length, category;
|
||||
+ if (size < sizeof(*cap))
|
||||
+ return NULL;
|
||||
+
|
||||
+ for (caps = NULL; size >= sizeof(*cap);) {
|
||||
+ struct avdtp_service_capability *cpy;
|
||||
|
||||
- category = data[0];
|
||||
- length = data[1];
|
||||
+ cap = (struct avdtp_service_capability *)data;
|
||||
|
||||
- if (processed + 2 + length > size) {
|
||||
+ if (sizeof(*cap) + cap->length >= size) {
|
||||
error("Invalid capability data in getcap resp");
|
||||
break;
|
||||
}
|
||||
|
||||
- cap = g_malloc(sizeof(struct avdtp_service_capability) +
|
||||
- length);
|
||||
- memcpy(cap, data, 2 + length);
|
||||
+ if (cap->category == AVDTP_MEDIA_CODEC &&
|
||||
+ cap->length < sizeof(**codec)) {
|
||||
+ error("Invalid codec data in getcap resp");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
|
||||
+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
|
||||
|
||||
- processed += 2 + length;
|
||||
- data += 2 + length;
|
||||
+ size -= sizeof(*cap) + cap->length;
|
||||
+ data += sizeof(*cap) + cap->length;
|
||||
|
||||
- caps = g_slist_append(caps, cap);
|
||||
+ caps = g_slist_append(caps, cpy);
|
||||
|
||||
- if (category == AVDTP_MEDIA_CODEC &&
|
||||
- length >=
|
||||
- sizeof(struct avdtp_media_codec_capability))
|
||||
- *codec = cap;
|
||||
- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
|
||||
- *delay_reporting = TRUE;
|
||||
+ switch (cap->category) {
|
||||
+ case AVDTP_MEDIA_CODEC:
|
||||
+ if (codec)
|
||||
+ *codec = cap;
|
||||
+ break;
|
||||
+ case AVDTP_DELAY_REPORTING:
|
||||
+ if (delay_reporting)
|
||||
+ *delay_reporting = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
return caps;
|
||||
@@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
|
||||
&stream->codec,
|
||||
&stream->delay_reporting);
|
||||
|
||||
+ if (!stream->caps || !stream->codec) {
|
||||
+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
|
||||
+ category = 0x00;
|
||||
+ goto failed_stream;
|
||||
+ }
|
||||
+
|
||||
/* Verify that the Media Transport capability's length = 0. Reject otherwise */
|
||||
for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
|
||||
struct avdtp_service_capability *cap = l->data;
|
||||
--
|
||||
cgit
|
||||
37
backport-0002-CVE-2022-39177.patch
Normal file
37
backport-0002-CVE-2022-39177.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 Mon Sep 17 00:00:00 2001
|
||||
From: Archie Pusaka <apusaka@chromium.org>
|
||||
Date: Thu, 17 Jun 2021 08:53:34 +0800
|
||||
Subject: avdtp: Fix parsing capabilities
|
||||
|
||||
This patch fixes size comparison and variable misassignment.
|
||||
|
||||
Reviewed-by: Alain Michaud <alainm@chromium.org>
|
||||
Reviewed-by: Michael Sun <michaelfsun@google.com>
|
||||
---
|
||||
profiles/audio/avdtp.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
|
||||
index c7bf99f42..5d13104c1 100644
|
||||
--- a/profiles/audio/avdtp.c
|
||||
+++ b/profiles/audio/avdtp.c
|
||||
@@ -1323,7 +1323,7 @@ static GSList *caps_to_list(uint8_t *data, size_t size,
|
||||
|
||||
cap = (struct avdtp_service_capability *)data;
|
||||
|
||||
- if (sizeof(*cap) + cap->length >= size) {
|
||||
+ if (sizeof(*cap) + cap->length > size) {
|
||||
error("Invalid capability data in getcap resp");
|
||||
break;
|
||||
}
|
||||
@@ -1345,7 +1345,7 @@ static GSList *caps_to_list(uint8_t *data, size_t size,
|
||||
switch (cap->category) {
|
||||
case AVDTP_MEDIA_CODEC:
|
||||
if (codec)
|
||||
- *codec = cap;
|
||||
+ *codec = cpy;
|
||||
break;
|
||||
case AVDTP_DELAY_REPORTING:
|
||||
if (delay_reporting)
|
||||
--
|
||||
cgit
|
||||
33
backport-CVE-2022-39176.patch
Normal file
33
backport-CVE-2022-39176.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From e2b0f0d8d63e1223bb714a9efb37e2257818268b Mon Sep 17 00:00:00 2001
|
||||
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Thu, 29 Apr 2021 18:18:57 -0700
|
||||
Subject: avrcp: Fix not checking if params_len match number of received bytes
|
||||
|
||||
This makes sure the number of bytes in the params_len matches the
|
||||
remaining bytes received so the code don't end up accessing invalid
|
||||
memory.
|
||||
---
|
||||
profiles/audio/avrcp.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
|
||||
index 05dd791de..c6a342ee3 100644
|
||||
--- a/profiles/audio/avrcp.c
|
||||
+++ b/profiles/audio/avrcp.c
|
||||
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
|
||||
goto err_metadata;
|
||||
}
|
||||
|
||||
+ operands += sizeof(*pdu);
|
||||
+ operand_count -= sizeof(*pdu);
|
||||
+
|
||||
+ if (pdu->params_len != operand_count) {
|
||||
+ DBG("AVRCP PDU parameters length don't match");
|
||||
+ pdu->params_len = operand_count;
|
||||
+ }
|
||||
+
|
||||
for (handler = session->control_handlers; handler->pdu_id; handler++) {
|
||||
if (handler->pdu_id == pdu->pdu_id)
|
||||
break;
|
||||
--
|
||||
cgit
|
||||
@ -1,7 +1,7 @@
|
||||
Name: bluez
|
||||
Summary: Bluetooth utilities
|
||||
Version: 5.54
|
||||
Release: 14
|
||||
Release: 15
|
||||
License: GPLv2+
|
||||
URL: http://www.bluez.org/
|
||||
Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
|
||||
@ -31,6 +31,9 @@ Patch6006: backport-0003-CVE-2021-0129.patch
|
||||
Patch6007: backport-0004-CVE-2021-0129.patch
|
||||
Patch6008: backport-CVE-2022-0204.patch
|
||||
Patch6009: backport-CVE-2021-41229.patch
|
||||
Patch6010: backport-CVE-2022-39176.patch
|
||||
Patch6011: backport-0001-CVE-2022-39177.patch
|
||||
Patch6012: backport-0002-CVE-2022-39177.patch
|
||||
|
||||
BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
|
||||
BuildRequires: glib2-devel libical-devel readline-devel
|
||||
@ -187,6 +190,9 @@ make check
|
||||
%{_mandir}/man8/*
|
||||
|
||||
%changelog
|
||||
* Wed Sep 07 2022 wangkerong <wangkerong@h-partners.com> - 5.54-15
|
||||
- DESC:fix CVE-2022-39176,CVE-2022-39177
|
||||
|
||||
* Wed Jul 13 2022 wangkerong <wangkerong@h-partners.com> - 5.54-14
|
||||
- DESC:fix CVE-2021-41229
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user