fix CVE-2021-3685

Signed-off-by: yanan-rock <yanan@huawei.com>
2021-04-18 09:11:33 -04:00 · 2021-04-18 09:11:33 -04:00 · d98bcb1849
commit d98bcb1849
parent 637357662d
3 changed files with 293 additions and 1 deletions
--- a/backport-0001-CVE-2021-3658.patch
+++ b/backport-0001-CVE-2021-3658.patch
@ -0,0 +1,193 @@
+From 0ce535ecb2bb58079513ccbd1fe086409c77beb8 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 11 Jun 2020 13:23:06 -0700
+Subject: [PATCH] adapter: Rename watch_client to discovery_client
+
+watch term is quite vague so this replace it with discovery which is
+what is used for the filter as well.
+
+Conflict:NA
+Reference:https://github.com/bluez/bluez/commit/0ce535ecb2bb58079513ccbd1fe086409c77beb8
+---
+ src/adapter.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 972d887..160f199 100644
+--- a/src/adapter.c
+++ b/src/adapter.c
+@@ -182,7 +182,7 @@ struct discovery_filter {
+ 	bool discoverable;
+ };
+ 
+-struct watch_client {
+struct discovery_client {
+ 	struct btd_adapter *adapter;
+ 	DBusMessage *msg;
+ 	char *owner;
+@@ -1474,7 +1474,7 @@ static void start_discovery_complete(uint8_t status, uint16_t length,
+ 					const void *param, void *user_data)
+ {
+ 	struct btd_adapter *adapter = user_data;
+-	struct watch_client *client;
+	struct discovery_client *client;
+ 	const struct mgmt_cp_start_discovery *rp = param;
+ 	DBusMessage *reply;
+ 
+@@ -1851,8 +1851,8 @@ static void discovery_cleanup(struct btd_adapter *adapter)
+ 
+ static void discovery_free(void *user_data)
+ {
+-	struct watch_client *client = user_data;
+ 
+	struct discovery_client *client = user_data;
+ 	if (client->watch)
+ 		g_dbus_remove_watch(dbus_conn, client->watch);
+ 
+@@ -1882,7 +1882,7 @@ static bool set_discovery_discoverable(struct btd_adapter *adapter, bool enable)
+ 	return set_discoverable(adapter, enable, 0);
+ }
+ 
+-static void discovery_remove(struct watch_client *client, bool exit)
+static void discovery_remove(struct discovery_client *client, bool exit)
+ {
+ 	struct btd_adapter *adapter = client->adapter;
+ 
+@@ -1913,7 +1913,7 @@ static void discovery_remove(struct watch_client *client, bool exit)
+ static void stop_discovery_complete(uint8_t status, uint16_t length,
+ 					const void *param, void *user_data)
+ {
+-	struct watch_client *client = user_data;
+	struct discovery_client *client = user_data;
+ 	struct btd_adapter *adapter = client->adapter;
+ 	DBusMessage *reply;
+ 
+@@ -1949,7 +1949,7 @@ done:
+ 
+ static int compare_sender(gconstpointer a, gconstpointer b)
+ {
+-	const struct watch_client *client = a;
+	const struct discovery_client *client = a;
+ 	const char *sender = b;
+ 
+ 	return g_strcmp0(client->owner, sender);
+@@ -1982,7 +1982,7 @@ static int merge_discovery_filters(struct btd_adapter *adapter, int *rssi,
+ 	bool has_filtered_discovery = false;
+ 
+ 	for (l = adapter->discovery_list; l != NULL; l = g_slist_next(l)) {
+-		struct watch_client *client = l->data;
+		struct discovery_client *client = l->data;
+ 		struct discovery_filter *item = client->discovery_filter;
+ 
+ 		if (!item) {
+@@ -2149,7 +2149,7 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ 	}
+ 
+ 	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-		struct watch_client *client = l->data;
+		struct discovery_client *client = l->data;
+ 
+ 		if (!client->discovery_filter)
+ 			continue;
+@@ -2179,7 +2179,7 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ 	return -EINPROGRESS;
+ }
+ 
+-static int discovery_stop(struct watch_client *client, bool exit)
+static int discovery_stop(struct discovery_client *client, bool exit)
+ {
+ 	struct btd_adapter *adapter = client->adapter;
+ 	struct mgmt_cp_stop_discovery cp;
+@@ -2220,7 +2220,7 @@ static int discovery_stop(struct watch_client *client, bool exit)
+ 
+ static void discovery_disconnect(DBusConnection *conn, void *user_data)
+ {
+-	struct watch_client *client = user_data;
+	struct discovery_client *client = user_data;
+ 
+ 	DBG("owner %s", client->owner);
+ 
+@@ -2233,7 +2233,7 @@ static void discovery_disconnect(DBusConnection *conn, void *user_data)
+  */
+ static bool get_discovery_client(struct btd_adapter *adapter,
+ 						const char *owner,
+-						struct watch_client **client)
+						struct discovery_client **client)
+ {
+ 	GSList *list = g_slist_find_custom(adapter->discovery_list, owner,
+ 								compare_sender);
+@@ -2258,7 +2258,7 @@ static DBusMessage *start_discovery(DBusConnection *conn,
+ {
+ 	struct btd_adapter *adapter = user_data;
+ 	const char *sender = dbus_message_get_sender(msg);
+-	struct watch_client *client;
+	struct discovery_client *client;
+ 	bool is_discovering;
+ 	int err;
+ 
+@@ -2292,7 +2292,7 @@ static DBusMessage *start_discovery(DBusConnection *conn,
+ 		goto done;
+ 	}
+ 
+-	client = g_new0(struct watch_client, 1);
+	client = g_new0(struct discovery_client, 1);
+ 
+ 	client->adapter = adapter;
+ 	client->owner = g_strdup(sender);
+@@ -2556,7 +2556,7 @@ static DBusMessage *set_discovery_filter(DBusConnection *conn,
+ 					DBusMessage *msg, void *user_data)
+ {
+ 	struct btd_adapter *adapter = user_data;
+-	struct watch_client *client;
+	struct discovery_client *client;
+ 	struct discovery_filter *discovery_filter;
+ 	const char *sender = dbus_message_get_sender(msg);
+ 	bool is_discovering;
+@@ -2593,7 +2593,7 @@ static DBusMessage *set_discovery_filter(DBusConnection *conn,
+ 		DBG("successfully cleared pre-set filter");
+ 	} else if (discovery_filter) {
+ 		/* Client pre-setting his filter for first time */
+-		client = g_new0(struct watch_client, 1);
+		client = g_new0(struct discovery_client, 1);
+ 		client->adapter = adapter;
+ 		client->owner = g_strdup(sender);
+ 		client->discovery_filter = discovery_filter;
+@@ -2614,7 +2614,7 @@ static DBusMessage *stop_discovery(DBusConnection *conn,
+ {
+ 	struct btd_adapter *adapter = user_data;
+ 	const char *sender = dbus_message_get_sender(msg);
+-	struct watch_client *client;
+	struct discovery_client *client;
+ 	GSList *list;
+ 	int err;
+ 
+@@ -6109,7 +6109,7 @@ static bool is_filter_match(GSList *discovery_filter, struct eir_data *eir_data,
+ 
+ 	for (l = discovery_filter; l != NULL && got_match != true;
+ 							l = g_slist_next(l)) {
+-		struct watch_client *client = l->data;
+		struct discovery_client *client = l->data;
+ 		struct discovery_filter *item = client->discovery_filter;
+ 
+ 		/*
+@@ -6157,7 +6157,7 @@ static bool is_filter_match(GSList *discovery_filter, struct eir_data *eir_data,
+ 
+ static void filter_duplicate_data(void *data, void *user_data)
+ {
+-	struct watch_client *client = data;
+	struct discovery_client *client = data;
+ 	bool *duplicate = user_data;
+ 
+ 	if (*duplicate || !client->discovery_filter)
+@@ -6187,7 +6187,7 @@ static bool device_is_discoverable(struct btd_adapter *adapter,
+ 
+ 	/* Do a prefix match for both address and name if pattern is set */
+ 	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-		struct watch_client *client = l->data;
+		struct discovery_client *client = l->data;
+ 		struct discovery_filter *filter = client->discovery_filter;
+ 		size_t pattern_len;
+ 
+-- 
+2.27.0
+
--- a/backport-0002-CVE-2021-3658.patch
+++ b/backport-0002-CVE-2021-3658.patch
@ -0,0 +1,94 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Conflict:NA
+Reference:https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
+++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+ 	if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+ 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
+ 					ADAPTER_INTERFACE, "Discoverable");
+-		store_adapter_info(adapter);
+		/* Only persist discoverable setting if it was not set
+		 * temporarily by discovery.
+		 */
+		if (!adapter->discovery_discoverable)
+			store_adapter_info(adapter);
+ 		btd_adv_manager_refresh(adapter->adv_manager);
+ 	}
+ 
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+ 	struct mgmt_cp_start_service_discovery *sd_cp;
+-	GSList *l;
+-
+ 
+ 	DBG("");
+ 
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ 		return -ENOMEM;
+ 	}
+ 
+-	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-		struct discovery_client *client = l->data;
+	/* Only attempt to overwrite current discoverable setting when not
+	 * discoverable.
+	 */
+	if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
+		GSList *l;
+ 
+-		if (!client->discovery_filter)
+-			continue;
+		for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+			struct discovery_client *client = l->data;
+ 
+-		if (client->discovery_filter->discoverable)
+-			break;
+-	}
+			if (!client->discovery_filter)
+				continue;
+ 
+-	set_discovery_discoverable(adapter, l ? true : false);
+			if (client->discovery_filter->discoverable) {
+				set_discovery_discoverable(adapter, true);
+				break;
+			}
+		}
+	}
+ 
+ 	/*
+ 	 * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client, bool exit)
+ 		return 0;
+ 	}
+ 
+-	if (adapter->discovery_discoverable)
+-		set_discovery_discoverable(adapter, false);
+	set_discovery_discoverable(adapter, false);
+ 
+ 	/*
+ 	 * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+ 	g_free(adapter->current_discovery_filter);
+ 	adapter->current_discovery_filter = NULL;
+ 
+	set_discovery_discoverable(adapter, false);
+ 	adapter->discovering = false;
+ 
+ 	while (adapter->connections) {
+-- 
+cgit 1.2.3-1.el7
--- a/bluez.spec
+++ b/bluez.spec
@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          8
+Release:          9
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@ -22,6 +22,8 @@ Patch0006:        backport-CVE-2021-3588.patch
 Patch0007:        backport-bluez-disable-test-mesh-crypto.patch
 Patch0008:        backport-media-rename-local-function-conflicting-with-pause-2.patch
 Patch6000:        backport-CVE-2020-27153.patch
+Patch6001:        backport-0001-CVE-2021-3658.patch
+Patch6002:        backport-0002-CVE-2021-3658.patch

 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    glib2-devel libical-devel readline-devel 
@ -178,6 +180,9 @@ make check
 %{_mandir}/man8/*

 %changelog
+* Fri Sep 24 2021 yanan <yanan@huawei.com> - 5.54-9
+- DESC:fix CVE-2021-3658
+
 * Tue Aug 10 2021 zhanzhimin <zhanzhimin@huawei.com> - 5.54-8
 - Type:CVE
 - ID:CVE-2020-27153