CVE-2022-0204 and add prefix CVE-2021-0129

backport-0001-CVE-2021-0129.patch

@@ -0,0 +1,71 @@
+From d676c4ddcb569234c6ce499732bb5fbe76ba14ac Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Tue, 31 Mar 2020 12:45:32 +0200
+Subject: [PATCH] shared/gatt: Fix NULL pointer dereference
+
+bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23
+
+Program received signal SIGSEGV, Segmentation fault.
+write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
+793             util_debug(server->debug_callback, server->debug_data,
+(gdb) bt
+ #0  write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
+ #1  0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162
+ #2  0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879
+ #3  0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34
+ #4  0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705
+ #5  0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216
+ #6  g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881
+ #7  0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954
+ #8  0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148
+ #9  0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79
+ #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
+ #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770
+ 
+Conflict:NA
+Reference:https://github.com/bluez/bluez/commit/d676c4ddcb569234c6ce499732bb5fbe76ba14ac
+---
+ src/shared/gatt-server.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 7e5d652e42..4e07398d21 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -790,14 +790,14 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err,
+ 	struct bt_gatt_server *server = op->server;
+ 	uint16_t handle;
+ 
+-	util_debug(server->debug_callback, server->debug_data,
+-				"Write Complete: err %d", err);
+-
+ 	if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
+ 		async_write_op_destroy(op);
+ 		return;
+ 	}
+ 
++	util_debug(server->debug_callback, server->debug_data,
++						"Write Complete: err %d", err);
++
+ 	handle = gatt_db_attribute_get_handle(attr);
+ 
+ 	if (err)
+@@ -914,14 +914,14 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
+ 	uint16_t mtu;
+ 	uint16_t handle;
+ 
+-	util_debug(server->debug_callback, server->debug_data,
+-				"Read Complete: err %d", err);
+-
+ 	if (!server) {
+ 		async_read_op_destroy(op);
+ 		return;
+ 	}
+ 
++	util_debug(server->debug_callback, server->debug_data,
++				"Read Complete: err %d", err);
++
+ 	mtu = bt_att_get_mtu(server->att);
+ 	handle = gatt_db_attribute_get_handle(attr);
+ 
+

backport-0002-CVE-2021-0129.patch

@@ -0,0 +1,195 @@
+From ee49fb1d13617e7d38fbf8f979206b905aa25345 Mon Sep 17 00:00:00 2001
+From: Archie Pusaka <apusaka@chromium.org>
+Date: Thu, 7 May 2020 14:38:46 +0800
+Subject: [PATCH] shared/gatt-server: Fix read multiple charc values
+
+According to bluetooth spec Ver 5.2, Vol 3, Part G, 4.8.4, An
+ATT_ERROR_RSP PDU shall be sent by the server in response to the
+ATT_READ_MULTIPLE_RSP PDU if insufficient authentication,
+insufficient authorization, insufficient encryption key size, or
+insufficient encryption is used by the client, or if a read operation
+is not permitted on any of the Characteristic Values.
+
+Currently if the size of the response grows larger than the MTU size,
+BlueZ does an early return and not check the permission for the rest
+of the characteristics. This patch forces BlueZ to check for possible
+errors even though we already reach MTU size.
+
+This patch also moves the read permission check for read multiple
+characteristics so it is done before actually retrieving the
+characteristics.
+
+Conflict:NA
+Reference:https://github.com/bluez/bluez/commit/ee49fb1d13617e7d38fbf8f979206b905aa25345
+---
+ src/shared/gatt-server.c | 88 ++++++++++++++++++++--------------------
+ 1 file changed, 45 insertions(+), 43 deletions(-)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 4e07398d21..28ac2d68de 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -1057,33 +1057,23 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 	uint16_t length;
+ 
+ 	if (err != 0) {
+-		bt_att_chan_send_error_rsp(data->chan, data->opcode, handle,
+-									err);
+-		read_mult_data_free(data);
+-		return;
+-	}
+-
+-	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
+-	if (ecode) {
+-		bt_att_chan_send_error_rsp(data->chan, data->opcode, handle,
+-									ecode);
+-		read_mult_data_free(data);
+-		return;
++		ecode = err;
++		goto error;
+ 	}
+ 
+ 	length = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ?
+-			MIN(len, data->mtu - data->length - 3) :
++			MIN(len, MAX(data->mtu - data->length, 3) - 3) :
+ 			MIN(len, data->mtu - data->length - 1);
+ 
+ 	if (data->opcode == BT_ATT_OP_READ_MULT_VL_REQ) {
+ 		/* The Length Value Tuple List may be truncated within the first
+ 		 * two octets of a tuple due to the size limits of the current
+-		 * ATT_MTU.
++		 * ATT_MTU, but the first two octets cannot be separated.
+ 		 */
+-		put_le16(len, data->rsp_data + data->length);
+-		data->length += 2;
++		if (data->mtu - data->length >= 3) {
++			put_le16(len, data->rsp_data + data->length);
++			data->length += 2;
++		}
+ 	}
+ 
+ 	memcpy(data->rsp_data + data->length, value, length);
+@@ -1091,45 +1081,46 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 
+ 	data->cur_handle++;
+ 
+-	len = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ?
+-		data->mtu - data->length - 3 : data->mtu - data->length - 1;
+-
+-	if (!len || (data->cur_handle == data->num_handles)) {
++	if (data->cur_handle == data->num_handles) {
+ 		bt_att_chan_send_rsp(data->chan, data->opcode + 1,
+ 						data->rsp_data, data->length);
+ 		read_mult_data_free(data);
+ 		return;
+ 	}
+ 
++	handle = data->handles[data->cur_handle];
++
+ 	util_debug(data->server->debug_callback, data->server->debug_data,
+ 				"%s Req - #%zu of %zu: 0x%04x",
+ 				data->opcode == BT_ATT_OP_READ_MULT_REQ ?
+ 				"Read Multiple" :
+ 				"Read Multiple Variable Length",
+ 				data->cur_handle + 1, data->num_handles,
+-				data->handles[data->cur_handle]);
++				handle);
+ 
+-	next_attr = gatt_db_get_attribute(data->server->db,
+-					data->handles[data->cur_handle]);
++	next_attr = gatt_db_get_attribute(data->server->db, handle);
+ 
+ 	if (!next_attr) {
+-		bt_att_chan_send_error_rsp(data->chan,
+-					BT_ATT_OP_READ_MULT_REQ,
+-					data->handles[data->cur_handle],
+-					BT_ATT_ERROR_INVALID_HANDLE);
+-		read_mult_data_free(data);
+-		return;
++		ecode = BT_ATT_ERROR_INVALID_HANDLE;
++		goto error;
+ 	}
+ 
+-	if (!gatt_db_attribute_read(next_attr, 0, BT_ATT_OP_READ_MULT_REQ,
++	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
++						BT_ATT_PERM_READ_AUTHEN |
++						BT_ATT_PERM_READ_ENCRYPT);
++	if (ecode)
++		goto error;
++
++	if (gatt_db_attribute_read(next_attr, 0, data->opcode,
+ 					data->server->att,
+-					read_multiple_complete_cb, data)) {
+-		bt_att_chan_send_error_rsp(data->chan,
+-						BT_ATT_OP_READ_MULT_REQ,
+-						data->handles[data->cur_handle],
+-						BT_ATT_ERROR_UNLIKELY);
+-		read_mult_data_free(data);
+-	}
++					read_multiple_complete_cb, data))
++		return;
++
++	ecode = BT_ATT_ERROR_UNLIKELY;
++
++error:
++	bt_att_chan_send_error_rsp(data->chan, data->opcode, handle, ecode);
++	read_mult_data_free(data);
+ }
+ 
+ static struct read_mult_data *read_mult_data_new(struct bt_gatt_server *server,
+@@ -1161,8 +1152,9 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	struct bt_gatt_server *server = user_data;
+ 	struct gatt_db_attribute *attr;
+ 	struct read_mult_data *data = NULL;
+-	uint8_t ecode = BT_ATT_ERROR_UNLIKELY;
++	uint8_t ecode;
+ 	size_t i = 0;
++	uint16_t handle = 0;
+ 
+ 	if (length < 4) {
+ 		ecode = BT_ATT_ERROR_INVALID_PDU;
+@@ -1176,28 +1168,38 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	for (i = 0; i < data->num_handles; i++)
+ 		data->handles[i] = get_le16(pdu + i * 2);
+ 
++	handle = data->handles[0];
++
+ 	util_debug(server->debug_callback, server->debug_data,
+ 			"%s Req - %zu handles, 1st: 0x%04x",
+ 			data->opcode == BT_ATT_OP_READ_MULT_REQ ?
+ 			"Read Multiple" : "Read Multiple Variable Length",
+-			data->num_handles, data->handles[0]);
++			data->num_handles, handle);
+ 
+-	attr = gatt_db_get_attribute(server->db, data->handles[0]);
++	attr = gatt_db_get_attribute(server->db, handle);
+ 
+ 	if (!attr) {
+ 		ecode = BT_ATT_ERROR_INVALID_HANDLE;
+ 		goto error;
+ 	}
+ 
++	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
++						BT_ATT_PERM_READ_AUTHEN |
++						BT_ATT_PERM_READ_ENCRYPT);
++	if (ecode)
++		goto error;
++
+ 	if (gatt_db_attribute_read(attr, 0, opcode, server->att,
+ 					read_multiple_complete_cb, data))
+ 		return;
+ 
++	ecode = BT_ATT_ERROR_UNLIKELY;
++
+ error:
+ 	if (data)
+ 		read_mult_data_free(data);
+ 
+-	bt_att_chan_send_error_rsp(chan, opcode, 0, ecode);
++	bt_att_chan_send_error_rsp(chan, opcode, handle, ecode);
+ }
+ 
+ static bool append_prep_data(struct prep_write_data *prep_data, uint16_t handle,
+

backport-0003-CVE-2021-0129.patch

@@ -0,0 +1,159 @@
+From a23fa59b09bbda8a35596ebccb78d352b6f5561d Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 6 Jan 2021 15:22:41 -0800
+Subject: [PATCH] shared/gatt-server: Fix not accepting multiple requests
+
+With introduction of EATT it is possible to send multiple requests using
+different channels therefore bt_gatt_server shall not attempt to check
+if there is already an outstanding request.
+
+gh issue: https://github.com/bluez/bluez/issues/75
+
+Conflict:NA
+Reference:https://github.com/bluez/bluez/commit/a23fa59b09bbda8a35596ebccb78d352b6f5561d
+---
+ src/shared/gatt-server.c | 53 +++++-----------------------------------
+ 1 file changed, 6 insertions(+), 47 deletions(-)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0ce994be3e..b5f7de7dc3 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -108,9 +108,6 @@ struct bt_gatt_server {
+ 	struct queue *prep_queue;
+ 	unsigned int max_prep_queue_len;
+ 
+-	struct async_read_op *pending_read_op;
+-	struct async_write_op *pending_write_op;
+-
+ 	bt_gatt_server_debug_func_t debug_callback;
+ 	bt_gatt_server_destroy_func_t debug_destroy;
+ 	void *debug_data;
+@@ -140,12 +137,6 @@ static void bt_gatt_server_free(struct bt_gatt_server *server)
+ 	bt_att_unregister(server->att, server->prep_write_id);
+ 	bt_att_unregister(server->att, server->exec_write_id);
+ 
+-	if (server->pending_read_op)
+-		server->pending_read_op->server = NULL;
+-
+-	if (server->pending_write_op)
+-		server->pending_write_op->server = NULL;
+-
+ 	queue_destroy(server->prep_queue, prep_write_data_destroy);
+ 
+ 	gatt_db_unref(server->db);
+@@ -324,9 +315,7 @@ static void read_by_grp_type_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 
+ static void async_read_op_destroy(struct async_read_op *op)
+ {
+-	if (op->server)
+-		op->server->pending_read_op = NULL;
+-
++	bt_gatt_server_unref(op->server);
+ 	queue_destroy(op->db_data, NULL);
+ 	free(op->pdu);
+ 	free(op);
+@@ -343,11 +332,6 @@ static void read_by_type_read_complete_cb(struct gatt_db_attribute *attr,
+ 	uint16_t mtu;
+ 	uint16_t handle;
+ 
+-	if (!server) {
+-		async_read_op_destroy(op);
+-		return;
+-	}
+-
+ 	mtu = bt_att_get_mtu(server->att);
+ 	handle = gatt_db_attribute_get_handle(attr);
+ 
+@@ -524,11 +508,6 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 		goto error;
+ 	}
+ 
+-	if (server->pending_read_op) {
+-		ecode = BT_ATT_ERROR_UNLIKELY;
+-		goto error;
+-	}
+-
+ 	op = new0(struct async_read_op, 1);
+ 	op->pdu = malloc(bt_att_get_mtu(server->att));
+ 	if (!op->pdu) {
+@@ -539,9 +518,8 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 
+ 	op->chan = chan;
+ 	op->opcode = opcode;
+-	op->server = server;
++	op->server = bt_gatt_server_ref(server);
+ 	op->db_data = q;
+-	server->pending_read_op = op;
+ 
+ 	process_read_by_type(op);
+ 
+@@ -764,9 +742,7 @@ static void find_by_type_val_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 
+ static void async_write_op_destroy(struct async_write_op *op)
+ {
+-	if (op->server)
+-		op->server->pending_write_op = NULL;
+-
++	bt_gatt_server_unref(op->server);
+ 	free(op);
+ }
+ 
+@@ -777,7 +753,7 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err,
+ 	struct bt_gatt_server *server = op->server;
+ 	uint16_t handle;
+ 
+-	if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
++	if (op->opcode == BT_ATT_OP_WRITE_CMD) {
+ 		async_write_op_destroy(op);
+ 		return;
+ 	}
+@@ -841,16 +817,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 	if (ecode)
+ 		goto error;
+ 
+-	if (server->pending_write_op) {
+-		ecode = BT_ATT_ERROR_UNLIKELY;
+-		goto error;
+-	}
+-
+ 	op = new0(struct async_write_op, 1);
+ 	op->chan = chan;
+-	op->server = server;
++	op->server = bt_gatt_server_ref(server);
+ 	op->opcode = opcode;
+-	server->pending_write_op = op;
+ 
+ 	if (gatt_db_attribute_write(attr, 0, pdu + 2, length - 2, opcode,
+ 							server->att,
+@@ -901,11 +871,6 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
+ 	uint16_t mtu;
+ 	uint16_t handle;
+ 
+-	if (!server) {
+-		async_read_op_destroy(op);
+-		return;
+-	}
+-
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Read Complete: err %d", err);
+ 
+@@ -954,16 +919,10 @@ static void handle_read_req(struct bt_att_chan *chan,
+ 	if (ecode)
+ 		goto error;
+ 
+-	if (server->pending_read_op) {
+-		ecode = BT_ATT_ERROR_UNLIKELY;
+-		goto error;
+-	}
+-
+ 	op = new0(struct async_read_op, 1);
+ 	op->chan = chan;
+ 	op->opcode = opcode;
+-	op->server = server;
+-	server->pending_read_op = op;
++	op->server = bt_gatt_server_ref(server);
+ 
+ 	if (gatt_db_attribute_read(attr, offset, opcode, server->att,
+ 							read_complete_cb, op))
+

backport-0004-CVE-2021-0129.patch

@@ -1,18 +1,24 @@
-From e15a27eee8d48871089d621ab43a21f2c855df1e Mon Sep 17 00:00:00 2001
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
-From: xingxing <xingxing9@h-partners.com>
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Tue, 1 Mar 2022 16:08:57 +0800
+Date: Tue, 2 Mar 2021 11:38:33 -0800
-Subject: [PATCH] CVE-2021-0129.patch
+Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
+ flags
 
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Conflict:NA
+Reference:https://github.com/bluez/bluez/commit/00da0fb4972cf59e1c075f313da81ea549cb8738
 ---
  src/shared/att-types.h   |  8 ++++++++
- src/shared/gatt-server.c | 16 ++++------------
+ src/shared/gatt-server.c | 25 +++++++------------------
- 2 files changed, 12 insertions(+), 12 deletions(-)
+ 2 files changed, 15 insertions(+), 18 deletions(-)
 
 diff --git a/src/shared/att-types.h b/src/shared/att-types.h
-index 99b1089..f468a98 100644
+index 7108b4e94a..3adc05d9e3 100644
 --- a/src/shared/att-types.h
 +++ b/src/shared/att-types.h
-@@ -142,6 +142,14 @@ struct bt_att_pdu_error_rsp {
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
  #define BT_ATT_PERM_WRITE_SECURE	0x0200
  #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
  					BT_ATT_PERM_WRITE_SECURE)
@@ -28,10 +34,10 @@ index 99b1089..f468a98 100644
  /* GATT Characteristic Properties Bitfield values */
  #define BT_GATT_CHRC_PROP_BROADCAST			0x01
 diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
-index 7e5d652..a79a786 100644
+index b5f7de7dc3..970c35f94e 100644
 --- a/src/shared/gatt-server.c
 +++ b/src/shared/gatt-server.c
-@@ -473,9 +473,7 @@ static void process_read_by_type(struct async_read_op *op)
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
  		return;
  	}
  
@@ -42,7 +48,7 @@ index 7e5d652..a79a786 100644
  	if (ecode)
  		goto error;
  
-@@ -848,9 +846,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
  				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
  				handle);
  
@@ -53,7 +59,7 @@ index 7e5d652..a79a786 100644
  	if (ecode)
  		goto error;
  
-@@ -961,9 +957,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
  			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
  			handle);
  
@@ -64,7 +70,30 @@ index 7e5d652..a79a786 100644
  	if (ecode)
  		goto error;
  
-@@ -1360,9 +1354,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, next_attr,
++						BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
  	util_debug(server->debug_callback, server->debug_data,
  				"Prep Write Req - handle: 0x%04x", handle);
  
@@ -75,6 +104,4 @@ index 7e5d652..a79a786 100644
  	if (ecode)
  		goto error;
  
--- 
-2.27.0
 

backport-CVE-2022-0204.patch

@@ -0,0 +1,61 @@
+From 591c546c536b42bef696d027f64aa22434f8c3f0 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index dc4e681c9c..9beec44bed 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -779,6 +779,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+ 						server->authorize_data);
+ }
+ 
++static uint8_t check_length(uint16_t length, uint16_t offset)
++{
++	if (length > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++	if (offset > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_OFFSET;
++
++	if (length + offset > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++	return 0;
++}
++
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 					uint16_t length, void *user_data)
+ {
+@@ -809,6 +823,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
++	ecode = check_length(length, 0);
++	if (ecode)
++		goto error;
++
+ 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+@@ -1299,6 +1317,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
++	ecode = check_length(length, offset);
++	if (ecode)
++		goto error;
++
+ 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;

bluez.spec

@@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          12
+Release:          13
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@@ -25,7 +25,11 @@ Patch6000:        backport-CVE-2020-27153.patch
 Patch6001:        backport-0001-CVE-2021-3658.patch
 Patch6002:        backport-0002-CVE-2021-3658.patch
 Patch6003:        backport-CVE-2021-43400.patch
-Patch6004:        backport-CVE-2021-0129.patch
+Patch6004:        backport-0001-CVE-2021-0129.patch
+Patch6005:        backport-0002-CVE-2021-0129.patch
+Patch6006:        backport-0003-CVE-2021-0129.patch
+Patch6007:        backport-0004-CVE-2021-0129.patch
+Patch6008:        backport-CVE-2022-0204.patch
 
 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    glib2-devel libical-devel readline-devel 
@@ -182,6 +186,12 @@ make check
 %{_mandir}/man8/*
 
 %changelog
+* Fri Mar 18 2022 xingxing <xingxing9@h-partners.com> - 5.54-9
+- Type:CVE
+- CVE:CVE-2022-0204
+- SUG:NA
+- DESC:fix CVE-2022-0204 and add prefix for CVE-2021-0129
+
 * Tue Mar 1 2022 xingxing <xingxing9@h-partners.com> - 5.54-12
 - Type:CVE
 - CVE:CVE-2021-0129