aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-09 21:34:04 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-10 00:57:31 +0000
commit0e1cfdcae4ef86baf530de61d2540c7b6d2da001 (patch)
tree4654b46136a7aa90a459b5a4824f3aa79836e724
parent7dd0dde524f669d691cd1e73e1e21dc0f9f01a7b (diff)
downloadaports-0e1cfdcae4ef86baf530de61d2540c7b6d2da001.tar.gz
aports-0e1cfdcae4ef86baf530de61d2540c7b6d2da001.tar.bz2
aports-0e1cfdcae4ef86baf530de61d2540c7b6d2da001.tar.xz
main/bluez: fix CVE-2020-27153
See: #12053
-rw-r--r--main/bluez/APKBUILD8
-rw-r--r--main/bluez/CVE-2020-27153.patch141
2 files changed, 147 insertions, 2 deletions
diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD
index c0e8e61a71..df64ab4199 100644
--- a/main/bluez/APKBUILD
+++ b/main/bluez/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bluez
pkgver=5.54
-pkgrel=5
+pkgrel=6
pkgdesc="Tools for the Bluetooth protocol stack"
url="http://www.bluez.org/"
arch="all"
@@ -37,6 +37,7 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz
disable-lock-test.patch
fix-endianness.patch
musl.patch
+ CVE-2020-27153.patch
"
case "$CARCH" in
@@ -45,6 +46,8 @@ mips*) options="!check";;
esac
# secfixes:
+# 5.54-r6:
+# - CVE-2020-27153
# 5.54-r0:
# - CVE-2020-0556
@@ -155,4 +158,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d
42ac04044a8c66e07487598b3a75ef52efc32999ebce4e7c63f6198e2f603f4a1442e74600e43a0938cb4f52d4db0298aa99050b18144b84990cda71748e9de5 004-Move-the-43xx-firmware-into-lib-firmware.patch
04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch
118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch
-641e425333d269833eed624edec0e29cba04bb0ff6570f6afda178a164fc2bb77456fa88957fe49f36000d3601ac00bb7ba089400977c1577e9c226e74baa3d6 musl.patch"
+641e425333d269833eed624edec0e29cba04bb0ff6570f6afda178a164fc2bb77456fa88957fe49f36000d3601ac00bb7ba089400977c1577e9c226e74baa3d6 musl.patch
+821cc275cd104b9e20a91d6081c8eb045bd7b78202582f502d1bac2525800d3d52c2d2e058d814c794c265b1143ccce6d6db6c33db013af99165478a38d0a528 CVE-2020-27153.patch"
diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch
new file mode 100644
index 0000000000..2caf9aa3e6
--- /dev/null
+++ b/main/bluez/CVE-2020-27153.patch
@@ -0,0 +1,141 @@
+From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 15 Jul 2020 18:25:37 -0700
+Subject: [PATCH] shared/att: Fix possible crash on disconnect
+
+If there are pending request while disconnecting they would be notified
+but clients may endup being freed in the proccess which will then be
+calling bt_att_cancel to cancal its requests causing the following
+trace:
+
+Invalid read of size 4
+ at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
+ by 0x1D247B: disc_att_send_op (att.c:417)
+ by 0x1CCC17: queue_remove_all (queue.c:354)
+ by 0x1D47B7: disconnect_cb (att.c:635)
+ by 0x1E0707: watch_callback (io-glib.c:170)
+ by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
+ by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
+ by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
+ by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
+ by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
+ by 0x12BC3B: main (main.c:770)
+ Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
+ at 0x484A2E0: free (vg_replace_malloc.c:540)
+ by 0x1CCC17: queue_remove_all (queue.c:354)
+ by 0x1CCC83: queue_destroy (queue.c:73)
+ by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
+ by 0x16497B: batt_free (battery.c:77)
+ by 0x16497B: batt_remove (battery.c:286)
+ by 0x1A0013: service_remove (service.c:176)
+ by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
+ by 0x1A9B7B: gatt_service_removed (device.c:3805)
+ by 0x1CC90B: queue_foreach (queue.c:220)
+ by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
+ by 0x1DE387: notify_service_changed (gatt-db.c:361)
+ by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
+ by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
+ by 0x1D674F: discovery_op_complete (gatt-client.c:388)
+ by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
+ by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
+ by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
+ by 0x1D247B: disc_att_send_op (att.c:417)
+ by 0x1CCC17: queue_remove_all (queue.c:354)
+ by 0x1D47B7: disconnect_cb (att.c:635)
+---
+ src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/src/shared/att.c b/src/shared/att.c
+index ed3af2920..58f23dfcb 100644
+--- a/src/shared/att.c
++++ b/src/shared/att.c
+@@ -84,6 +84,7 @@ struct bt_att {
+ struct queue *req_queue; /* Queued ATT protocol requests */
+ struct queue *ind_queue; /* Queued ATT protocol indications */
+ struct queue *write_queue; /* Queue of PDUs ready to send */
++ bool in_disc; /* Cleanup queues on disconnect_cb */
+
+ bt_att_timeout_func_t timeout_callback;
+ bt_att_destroy_func_t timeout_destroy;
+@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data)
+ free(op);
+ }
+
+-static void cancel_att_send_op(struct att_send_op *op)
++static void cancel_att_send_op(void *data)
+ {
++ struct att_send_op *op = data;
++
+ if (op->destroy)
+ op->destroy(op->user_data);
+
+@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ /* Dettach channel */
+ queue_remove(att->chans, chan);
+
+- /* Notify request callbacks */
+- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+-
+ if (chan->pending_req) {
+ disc_att_send_op(chan->pending_req);
+ chan->pending_req = NULL;
+@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
+
+ bt_att_ref(att);
+
++ att->in_disc = true;
++
++ /* Notify request callbacks */
++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
++
++ att->in_disc = false;
++
+ queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
+
+ bt_att_unregister_all(att);
+@@ -1574,6 +1581,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id)
+ return true;
+ }
+
++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
++{
++ struct att_send_op *op;
++
++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
++ if (op)
++ goto done;
++
++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
++ if (op)
++ goto done;
++
++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
++
++done:
++ if (!op)
++ return false;
++
++ /* Just cancel since disconnect_cb will be cleaning up */
++ cancel_att_send_op(op);
++
++ return true;
++}
++
+ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ {
+ const struct queue_entry *entry;
+@@ -1591,6 +1622,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ return true;
+ }
+
++ if (att->in_disc)
++ return bt_att_disc_cancel(att, id);
++
+ op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;