packages/bluez
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2022-0204 and add prefix CVE-2021-0129

Browse Source
This commit is contained in:
weiwei_tiantian 2022-03-18 17:23:42 +08:00
parent db67ae150b
commit ebfa46c191
6 changed files with 540 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
backport-0001-CVE-2021-0129.patch Normal file
View File

@ -0,0 +1,71 @@
From d676c4ddcb569234c6ce499732bb5fbe76ba14ac Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@codecoup.pl>
Date: Tue, 31 Mar 2020 12:45:32 +0200
Subject: [PATCH] shared/gatt: Fix NULL pointer dereference
bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23
Program received signal SIGSEGV, Segmentation fault.
write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
793 util_debug(server->debug_callback, server->debug_data,
(gdb) bt
#0 write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
#1 0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162
#2 0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879
#3 0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34
#4 0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705
#5 0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216
#6 g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881
#7 0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954
#8 0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148
#9 0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79
#10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
#11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770
Conflict:NA
Reference:https://github.com/bluez/bluez/commit/d676c4ddcb569234c6ce499732bb5fbe76ba14ac
---
src/shared/gatt-server.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 7e5d652e42..4e07398d21 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -790,14 +790,14 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err,
struct bt_gatt_server *server = op->server;
uint16_t handle;
- util_debug(server->debug_callback, server->debug_data,
- "Write Complete: err %d", err);
-
if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
async_write_op_destroy(op);
return;
}
+ util_debug(server->debug_callback, server->debug_data,
+ "Write Complete: err %d", err);
+
handle = gatt_db_attribute_get_handle(attr);
if (err)
@@ -914,14 +914,14 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
uint16_t mtu;
uint16_t handle;
- util_debug(server->debug_callback, server->debug_data,
- "Read Complete: err %d", err);
-
if (!server) {
async_read_op_destroy(op);
return;
}
+ util_debug(server->debug_callback, server->debug_data,
+ "Read Complete: err %d", err);
+
mtu = bt_att_get_mtu(server->att);
handle = gatt_db_attribute_get_handle(attr);

195
backport-0002-CVE-2021-0129.patch Normal file
View File

@ -0,0 +1,195 @@
From ee49fb1d13617e7d38fbf8f979206b905aa25345 Mon Sep 17 00:00:00 2001
From: Archie Pusaka <apusaka@chromium.org>
Date: Thu, 7 May 2020 14:38:46 +0800
Subject: [PATCH] shared/gatt-server: Fix read multiple charc values
According to bluetooth spec Ver 5.2, Vol 3, Part G, 4.8.4, An
ATT_ERROR_RSP PDU shall be sent by the server in response to the
ATT_READ_MULTIPLE_RSP PDU if insufficient authentication,
insufficient authorization, insufficient encryption key size, or
insufficient encryption is used by the client, or if a read operation
is not permitted on any of the Characteristic Values.
Currently if the size of the response grows larger than the MTU size,
BlueZ does an early return and not check the permission for the rest
of the characteristics. This patch forces BlueZ to check for possible
errors even though we already reach MTU size.
This patch also moves the read permission check for read multiple
characteristics so it is done before actually retrieving the
characteristics.
Conflict:NA
Reference:https://github.com/bluez/bluez/commit/ee49fb1d13617e7d38fbf8f979206b905aa25345
---
src/shared/gatt-server.c | 88 ++++++++++++++++++++--------------------
1 file changed, 45 insertions(+), 43 deletions(-)
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 4e07398d21..28ac2d68de 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -1057,33 +1057,23 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
uint16_t length;
if (err != 0) {
- bt_att_chan_send_error_rsp(data->chan, data->opcode, handle,
- err);
- read_mult_data_free(data);
- return;
- }
-
- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
- if (ecode) {
- bt_att_chan_send_error_rsp(data->chan, data->opcode, handle,
- ecode);
- read_mult_data_free(data);
- return;
+ ecode = err;
+ goto error;
}
length = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ?
- MIN(len, data->mtu - data->length - 3) :
+ MIN(len, MAX(data->mtu - data->length, 3) - 3) :
MIN(len, data->mtu - data->length - 1);
if (data->opcode == BT_ATT_OP_READ_MULT_VL_REQ) {
/* The Length Value Tuple List may be truncated within the first
* two octets of a tuple due to the size limits of the current
- * ATT_MTU.
+ * ATT_MTU, but the first two octets cannot be separated.
*/
- put_le16(len, data->rsp_data + data->length);
- data->length += 2;
+ if (data->mtu - data->length >= 3) {
+ put_le16(len, data->rsp_data + data->length);
+ data->length += 2;
+ }
}
memcpy(data->rsp_data + data->length, value, length);
@@ -1091,45 +1081,46 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
data->cur_handle++;
- len = data->opcode == BT_ATT_OP_READ_MULT_VL_REQ ?
- data->mtu - data->length - 3 : data->mtu - data->length - 1;
-
- if (!len || (data->cur_handle == data->num_handles)) {
+ if (data->cur_handle == data->num_handles) {
bt_att_chan_send_rsp(data->chan, data->opcode + 1,
data->rsp_data, data->length);
read_mult_data_free(data);
return;
}
+ handle = data->handles[data->cur_handle];
+
util_debug(data->server->debug_callback, data->server->debug_data,
"%s Req - #%zu of %zu: 0x%04x",
data->opcode == BT_ATT_OP_READ_MULT_REQ ?
"Read Multiple" :
"Read Multiple Variable Length",
data->cur_handle + 1, data->num_handles,
- data->handles[data->cur_handle]);
+ handle);
- next_attr = gatt_db_get_attribute(data->server->db,
- data->handles[data->cur_handle]);
+ next_attr = gatt_db_get_attribute(data->server->db, handle);
if (!next_attr) {
- bt_att_chan_send_error_rsp(data->chan,
- BT_ATT_OP_READ_MULT_REQ,
- data->handles[data->cur_handle],
- BT_ATT_ERROR_INVALID_HANDLE);
- read_mult_data_free(data);
- return;
+ ecode = BT_ATT_ERROR_INVALID_HANDLE;
+ goto error;
}
- if (!gatt_db_attribute_read(next_attr, 0, BT_ATT_OP_READ_MULT_REQ,
+ ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+ BT_ATT_PERM_READ_AUTHEN |
+ BT_ATT_PERM_READ_ENCRYPT);
+ if (ecode)
+ goto error;
+
+ if (gatt_db_attribute_read(next_attr, 0, data->opcode,
data->server->att,
- read_multiple_complete_cb, data)) {
- bt_att_chan_send_error_rsp(data->chan,
- BT_ATT_OP_READ_MULT_REQ,
- data->handles[data->cur_handle],
- BT_ATT_ERROR_UNLIKELY);
- read_mult_data_free(data);
- }
+ read_multiple_complete_cb, data))
+ return;
+
+ ecode = BT_ATT_ERROR_UNLIKELY;
+
+error:
+ bt_att_chan_send_error_rsp(data->chan, data->opcode, handle, ecode);
+ read_mult_data_free(data);
}
static struct read_mult_data *read_mult_data_new(struct bt_gatt_server *server,
@@ -1161,8 +1152,9 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
struct bt_gatt_server *server = user_data;
struct gatt_db_attribute *attr;
struct read_mult_data *data = NULL;
- uint8_t ecode = BT_ATT_ERROR_UNLIKELY;
+ uint8_t ecode;
size_t i = 0;
+ uint16_t handle = 0;
if (length < 4) {
ecode = BT_ATT_ERROR_INVALID_PDU;
@@ -1176,28 +1168,38 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
for (i = 0; i < data->num_handles; i++)
data->handles[i] = get_le16(pdu + i * 2);
+ handle = data->handles[0];
+
util_debug(server->debug_callback, server->debug_data,
"%s Req - %zu handles, 1st: 0x%04x",
data->opcode == BT_ATT_OP_READ_MULT_REQ ?
"Read Multiple" : "Read Multiple Variable Length",
- data->num_handles, data->handles[0]);
+ data->num_handles, handle);
- attr = gatt_db_get_attribute(server->db, data->handles[0]);
+ attr = gatt_db_get_attribute(server->db, handle);
if (!attr) {
ecode = BT_ATT_ERROR_INVALID_HANDLE;
goto error;
}
+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+ BT_ATT_PERM_READ_AUTHEN |
+ BT_ATT_PERM_READ_ENCRYPT);
+ if (ecode)
+ goto error;
+
if (gatt_db_attribute_read(attr, 0, opcode, server->att,
read_multiple_complete_cb, data))
return;
+ ecode = BT_ATT_ERROR_UNLIKELY;
+
error:
if (data)
read_mult_data_free(data);
- bt_att_chan_send_error_rsp(chan, opcode, 0, ecode);
+ bt_att_chan_send_error_rsp(chan, opcode, handle, ecode);
}
static bool append_prep_data(struct prep_write_data *prep_data, uint16_t handle,

159
backport-0003-CVE-2021-0129.patch Normal file
View File

@ -0,0 +1,159 @@
From a23fa59b09bbda8a35596ebccb78d352b6f5561d Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 6 Jan 2021 15:22:41 -0800
Subject: [PATCH] shared/gatt-server: Fix not accepting multiple requests
With introduction of EATT it is possible to send multiple requests using
different channels therefore bt_gatt_server shall not attempt to check
if there is already an outstanding request.
gh issue: https://github.com/bluez/bluez/issues/75
Conflict:NA
Reference:https://github.com/bluez/bluez/commit/a23fa59b09bbda8a35596ebccb78d352b6f5561d
---
src/shared/gatt-server.c | 53 +++++-----------------------------------
1 file changed, 6 insertions(+), 47 deletions(-)
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 0ce994be3e..b5f7de7dc3 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -108,9 +108,6 @@ struct bt_gatt_server {
struct queue *prep_queue;
unsigned int max_prep_queue_len;
- struct async_read_op *pending_read_op;
- struct async_write_op *pending_write_op;
-
bt_gatt_server_debug_func_t debug_callback;
bt_gatt_server_destroy_func_t debug_destroy;
void *debug_data;
@@ -140,12 +137,6 @@ static void bt_gatt_server_free(struct bt_gatt_server *server)
bt_att_unregister(server->att, server->prep_write_id);
bt_att_unregister(server->att, server->exec_write_id);
- if (server->pending_read_op)
- server->pending_read_op->server = NULL;
-
- if (server->pending_write_op)
- server->pending_write_op->server = NULL;
-
queue_destroy(server->prep_queue, prep_write_data_destroy);
gatt_db_unref(server->db);
@@ -324,9 +315,7 @@ static void read_by_grp_type_cb(struct bt_att_chan *chan, uint8_t opcode,
static void async_read_op_destroy(struct async_read_op *op)
{
- if (op->server)
- op->server->pending_read_op = NULL;
-
+ bt_gatt_server_unref(op->server);
queue_destroy(op->db_data, NULL);
free(op->pdu);
free(op);
@@ -343,11 +332,6 @@ static void read_by_type_read_complete_cb(struct gatt_db_attribute *attr,
uint16_t mtu;
uint16_t handle;
- if (!server) {
- async_read_op_destroy(op);
- return;
- }
-
mtu = bt_att_get_mtu(server->att);
handle = gatt_db_attribute_get_handle(attr);
@@ -524,11 +508,6 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode,
goto error;
}
- if (server->pending_read_op) {
- ecode = BT_ATT_ERROR_UNLIKELY;
- goto error;
- }
-
op = new0(struct async_read_op, 1);
op->pdu = malloc(bt_att_get_mtu(server->att));
if (!op->pdu) {
@@ -539,9 +518,8 @@ static void read_by_type_cb(struct bt_att_chan *chan, uint8_t opcode,
op->chan = chan;
op->opcode = opcode;
- op->server = server;
+ op->server = bt_gatt_server_ref(server);
op->db_data = q;
- server->pending_read_op = op;
process_read_by_type(op);
@@ -764,9 +742,7 @@ static void find_by_type_val_cb(struct bt_att_chan *chan, uint8_t opcode,
static void async_write_op_destroy(struct async_write_op *op)
{
- if (op->server)
- op->server->pending_write_op = NULL;
-
+ bt_gatt_server_unref(op->server);
free(op);
}
@@ -777,7 +753,7 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err,
struct bt_gatt_server *server = op->server;
uint16_t handle;
- if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
+ if (op->opcode == BT_ATT_OP_WRITE_CMD) {
async_write_op_destroy(op);
return;
}
@@ -841,16 +817,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
if (ecode)
goto error;
- if (server->pending_write_op) {
- ecode = BT_ATT_ERROR_UNLIKELY;
- goto error;
- }
-
op = new0(struct async_write_op, 1);
op->chan = chan;
- op->server = server;
+ op->server = bt_gatt_server_ref(server);
op->opcode = opcode;
- server->pending_write_op = op;
if (gatt_db_attribute_write(attr, 0, pdu + 2, length - 2, opcode,
server->att,
@@ -901,11 +871,6 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
uint16_t mtu;
uint16_t handle;
- if (!server) {
- async_read_op_destroy(op);
- return;
- }
-
util_debug(server->debug_callback, server->debug_data,
"Read Complete: err %d", err);
@@ -954,16 +919,10 @@ static void handle_read_req(struct bt_att_chan *chan,
if (ecode)
goto error;
- if (server->pending_read_op) {
- ecode = BT_ATT_ERROR_UNLIKELY;
- goto error;
- }
-
op = new0(struct async_read_op, 1);
op->chan = chan;
op->opcode = opcode;
- op->server = server;
- server->pending_read_op = op;
+ op->server = bt_gatt_server_ref(server);
if (gatt_db_attribute_read(attr, offset, opcode, server->att,
read_complete_cb, op))

57
backport-CVE-2021-0129.patch → backport-0004-CVE-2021-0129.patch
View File

@ -1,18 +1,24 @@
From e15a27eee8d48871089d621ab43a21f2c855df1e Mon Sep 17 00:00:00 2001
From: xingxing <xingxing9@h-partners.com>
Date: Tue, 1 Mar 2022 16:08:57 +0800
Subject: [PATCH] CVE-2021-0129.patch
From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 2 Mar 2021 11:38:33 -0800
Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
flags
When passing the mask to check_permissions all valid permissions for
the operation must be set including BT_ATT_PERM_SECURE flags.
Conflict:NA
Reference:https://github.com/bluez/bluez/commit/00da0fb4972cf59e1c075f313da81ea549cb8738
---
src/shared/att-types.h | 8 ++++++++
src/shared/gatt-server.c | 16 ++++------------
2 files changed, 12 insertions(+), 12 deletions(-)
src/shared/gatt-server.c | 25 +++++++------------------
2 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/src/shared/att-types.h b/src/shared/att-types.h
index 99b1089..f468a98 100644
index 7108b4e94a..3adc05d9e3 100644
--- a/src/shared/att-types.h
+++ b/src/shared/att-types.h
@@ -142,6 +142,14 @@ struct bt_att_pdu_error_rsp {
@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
#define BT_ATT_PERM_WRITE_SECURE 0x0200
#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
BT_ATT_PERM_WRITE_SECURE)
@ -28,10 +34,10 @@ index 99b1089..f468a98 100644
/* GATT Characteristic Properties Bitfield values */
#define BT_GATT_CHRC_PROP_BROADCAST 0x01
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 7e5d652..a79a786 100644
index b5f7de7dc3..970c35f94e 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -473,9 +473,7 @@ static void process_read_by_type(struct async_read_op *op)
@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
return;
}
@ -42,7 +48,7 @@ index 7e5d652..a79a786 100644
if (ecode)
goto error;
@@ -848,9 +846,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
handle);
@ -53,7 +59,7 @@ index 7e5d652..a79a786 100644
if (ecode)
goto error;
@@ -961,9 +957,7 @@ static void handle_read_req(struct bt_att_chan *chan,
@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
handle);
@ -64,7 +70,30 @@ index 7e5d652..a79a786 100644
if (ecode)
goto error;
@@ -1360,9 +1354,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
goto error;
}
- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(data->server, next_attr,
+ BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
goto error;
}
- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
util_debug(server->debug_callback, server->debug_data,
"Prep Write Req - handle: 0x%04x", handle);
@ -75,6 +104,4 @@ index 7e5d652..a79a786 100644
if (ecode)
goto error;
--
2.27.0

61
backport-CVE-2022-0204.patch Normal file
View File

@ -0,0 +1,61 @@
From 591c546c536b42bef696d027f64aa22434f8c3f0 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 8 Jun 2021 16:46:49 -0700
Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
writes
The code shall check if the prepare writes would append more the
allowed maximum attribute length.
Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
---
src/shared/gatt-server.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index dc4e681c9c..9beec44bed 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -779,6 +779,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
server->authorize_data);
}
+static uint8_t check_length(uint16_t length, uint16_t offset)
+{
+ if (length > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+ if (offset > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_OFFSET;
+
+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+ return 0;
+}
+
static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
uint16_t length, void *user_data)
{
@@ -809,6 +823,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
handle);
+ ecode = check_length(length, 0);
+ if (ecode)
+ goto error;
+
ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;
@@ -1299,6 +1317,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
util_debug(server->debug_callback, server->debug_data,
"Prep Write Req - handle: 0x%04x", handle);
+ ecode = check_length(length, offset);
+ if (ecode)
+ goto error;
+
ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;

14
bluez.spec
View File

@ -1,7 +1,7 @@
Name: bluez
Summary: Bluetooth utilities
Version: 5.54
Release: 12
Release: 13
License: GPLv2+
URL: http://www.bluez.org/
Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@ -25,7 +25,11 @@ Patch6000: backport-CVE-2020-27153.patch
Patch6001: backport-0001-CVE-2021-3658.patch
Patch6002: backport-0002-CVE-2021-3658.patch
Patch6003: backport-CVE-2021-43400.patch
Patch6004: backport-CVE-2021-0129.patch
Patch6004: backport-0001-CVE-2021-0129.patch
Patch6005: backport-0002-CVE-2021-0129.patch
Patch6006: backport-0003-CVE-2021-0129.patch
Patch6007: backport-0004-CVE-2021-0129.patch
Patch6008: backport-CVE-2022-0204.patch
BuildRequires: dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
BuildRequires: glib2-devel libical-devel readline-devel
@ -182,6 +186,12 @@ make check
%{_mandir}/man8/*
%changelog
* Fri Mar 18 2022 xingxing <xingxing9@h-partners.com> - 5.54-9
- Type:CVE
- CVE:CVE-2022-0204
- SUG:NA
- DESC:fix CVE-2022-0204 and add prefix for CVE-2021-0129
* Tue Mar 1 2022 xingxing <xingxing9@h-partners.com> - 5.54-12
- Type:CVE
- CVE:CVE-2021-0129