packages/bluez
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!74 fix CVE-2022-39176,CVE-2022-39177

Browse Source 
From: @kerongw 
Reviewed-by: @t_feng, @yanan-rock 
Signed-off-by: @t_feng, @yanan-rock
This commit is contained in:
openeuler-ci-bot 2022-09-08 01:35:54 +00:00 committed by Gitee
commit 2f6c32b310
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 180 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
backport-0001-CVE-2022-39177.patch Normal file
View File

@ -0,0 +1,103 @@
From 7a80d2096f1b7125085e21448112aa02f49f5e9a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 29 Apr 2021 17:10:50 -0700
Subject: avdtp: Fix accepting invalid/malformed capabilities
Check if capabilities are valid before attempting to copy them.
---
profiles/audio/avdtp.c | 56 ++++++++++++++++++++++++++++++++------------------
1 file changed, 36 insertions(+), 20 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 623fe30d3..c7bf99f42 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
return NULL;
}
-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
struct avdtp_service_capability **codec,
gboolean *delay_reporting)
{
+ struct avdtp_service_capability *cap;
GSList *caps;
- int processed;
if (delay_reporting)
*delay_reporting = FALSE;
- for (processed = 0, caps = NULL; processed + 2 <= size;) {
- struct avdtp_service_capability *cap;
- uint8_t length, category;
+ if (size < sizeof(*cap))
+ return NULL;
+
+ for (caps = NULL; size >= sizeof(*cap);) {
+ struct avdtp_service_capability *cpy;
- category = data[0];
- length = data[1];
+ cap = (struct avdtp_service_capability *)data;
- if (processed + 2 + length > size) {
+ if (sizeof(*cap) + cap->length >= size) {
error("Invalid capability data in getcap resp");
break;
}
- cap = g_malloc(sizeof(struct avdtp_service_capability) +
- length);
- memcpy(cap, data, 2 + length);
+ if (cap->category == AVDTP_MEDIA_CODEC &&
+ cap->length < sizeof(**codec)) {
+ error("Invalid codec data in getcap resp");
+ break;
+ }
+
+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
- processed += 2 + length;
- data += 2 + length;
+ size -= sizeof(*cap) + cap->length;
+ data += sizeof(*cap) + cap->length;
- caps = g_slist_append(caps, cap);
+ caps = g_slist_append(caps, cpy);
- if (category == AVDTP_MEDIA_CODEC &&
- length >=
- sizeof(struct avdtp_media_codec_capability))
- *codec = cap;
- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
- *delay_reporting = TRUE;
+ switch (cap->category) {
+ case AVDTP_MEDIA_CODEC:
+ if (codec)
+ *codec = cap;
+ break;
+ case AVDTP_DELAY_REPORTING:
+ if (delay_reporting)
+ *delay_reporting = TRUE;
+ break;
+ }
}
return caps;
@@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
&stream->codec,
&stream->delay_reporting);
+ if (!stream->caps || !stream->codec) {
+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
+ category = 0x00;
+ goto failed_stream;
+ }
+
/* Verify that the Media Transport capability's length = 0. Reject otherwise */
for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
struct avdtp_service_capability *cap = l->data;
--
cgit

37
backport-0002-CVE-2022-39177.patch Normal file
View File

@ -0,0 +1,37 @@
From 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 Mon Sep 17 00:00:00 2001
From: Archie Pusaka <apusaka@chromium.org>
Date: Thu, 17 Jun 2021 08:53:34 +0800
Subject: avdtp: Fix parsing capabilities
This patch fixes size comparison and variable misassignment.
Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Michael Sun <michaelfsun@google.com>
---
profiles/audio/avdtp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index c7bf99f42..5d13104c1 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1323,7 +1323,7 @@ static GSList *caps_to_list(uint8_t *data, size_t size,
cap = (struct avdtp_service_capability *)data;
- if (sizeof(*cap) + cap->length >= size) {
+ if (sizeof(*cap) + cap->length > size) {
error("Invalid capability data in getcap resp");
break;
}
@@ -1345,7 +1345,7 @@ static GSList *caps_to_list(uint8_t *data, size_t size,
switch (cap->category) {
case AVDTP_MEDIA_CODEC:
if (codec)
- *codec = cap;
+ *codec = cpy;
break;
case AVDTP_DELAY_REPORTING:
if (delay_reporting)
--
cgit

33
backport-CVE-2022-39176.patch Normal file
View File

@ -0,0 +1,33 @@
From e2b0f0d8d63e1223bb714a9efb37e2257818268b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 29 Apr 2021 18:18:57 -0700
Subject: avrcp: Fix not checking if params_len match number of received bytes
This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
---
profiles/audio/avrcp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 05dd791de..c6a342ee3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
goto err_metadata;
}
+ operands += sizeof(*pdu);
+ operand_count -= sizeof(*pdu);
+
+ if (pdu->params_len != operand_count) {
+ DBG("AVRCP PDU parameters length don't match");
+ pdu->params_len = operand_count;
+ }
+
for (handler = session->control_handlers; handler->pdu_id; handler++) {
if (handler->pdu_id == pdu->pdu_id)
break;
--
cgit

8
bluez.spec
View File

@ -1,7 +1,7 @@
Name: bluez Name: bluez
Summary: Bluetooth utilities Summary: Bluetooth utilities
Version: 5.54 Version: 5.54
Release: 14 Release: 15
License: GPLv2+ License: GPLv2+
URL: http://www.bluez.org/ URL: http://www.bluez.org/
Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@ -31,6 +31,9 @@ Patch6006: backport-0003-CVE-2021-0129.patch
Patch6007: backport-0004-CVE-2021-0129.patch Patch6007: backport-0004-CVE-2021-0129.patch
Patch6008: backport-CVE-2022-0204.patch Patch6008: backport-CVE-2022-0204.patch
Patch6009: backport-CVE-2021-41229.patch Patch6009: backport-CVE-2021-41229.patch
Patch6010: backport-CVE-2022-39176.patch
Patch6011: backport-0001-CVE-2022-39177.patch
Patch6012: backport-0002-CVE-2022-39177.patch
BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
BuildRequires: glib2-devel libical-devel readline-devel BuildRequires: glib2-devel libical-devel readline-devel
@ -187,6 +190,9 @@ make check
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Wed Sep 07 2022 wangkerong <wangkerong@h-partners.com> - 5.54-15
- DESC:fix CVE-2022-39176,CVE-2022-39177
* Wed Jul 13 2022 wangkerong <wangkerong@h-partners.com> - 5.54-14 * Wed Jul 13 2022 wangkerong <wangkerong@h-partners.com> - 5.54-14
- DESC:fix CVE-2021-41229 - DESC:fix CVE-2021-41229