The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading
https://nvd.nist.gov/vuln/detail/CVE-2021-3588 Signed-off-by: Steve Sakoman <st...@sakoman.com> --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2021-3588.patch | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index f34ba0dce5..202a14dee0 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ + file://CVE-2021-3588.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch @@ -0,0 +1,34 @@ +From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.de...@intel.com> +Date: Mon, 4 Jan 2021 10:38:31 -0800 +Subject: [PATCH] gatt: Fix potential buffer out-of-bound + +When client features is read check if the offset is within the cli_feat +bounds. + +Fixes: https://github.com/bluez/bluez/issues/70 + ++Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a] ++Signed-off-by: Steve Sakoman <st...@sakoman.com> ++CVE: CVE-2021-3588 + +--- + src/gatt-database.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/gatt-database.c b/src/gatt-database.c +index 90cc4bade..f2d7b5821 100644 +--- a/src/gatt-database.c ++++ b/src/gatt-database.c +@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, + goto done; + } + ++ if (offset >= sizeof(state->cli_feat)) { ++ ecode = BT_ATT_ERROR_INVALID_OFFSET; ++ goto done; ++ } ++ + len = sizeof(state->cli_feat) - offset; + value = len ? &state->cli_feat[offset] : NULL; + -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153865): https://lists.openembedded.org/g/openembedded-core/message/153865 Mute This Topic: https://lists.openembedded.org/mt/84225951/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
