aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-09 21:41:28 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-10 00:57:47 +0000
commit3658872660c49542a14697c5b9d8c844b7b8ed77 (patch)
tree002daad776f04516e845acb564bd6c44067d3270
parent801680ad17f63d253e67728a07662db31c288134 (diff)
downloadaports-3658872660c49542a14697c5b9d8c844b7b8ed77.tar.gz
aports-3658872660c49542a14697c5b9d8c844b7b8ed77.tar.bz2
aports-3658872660c49542a14697c5b9d8c844b7b8ed77.tar.xz
main/bluez: fix CVE-2020-27153
See: #12053
-rw-r--r--main/bluez/APKBUILD2
-rw-r--r--main/bluez/CVE-2020-27153.patch84
2 files changed, 20 insertions, 66 deletions
diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD
index 413426f059..97b0017111 100644
--- a/main/bluez/APKBUILD
+++ b/main/bluez/APKBUILD
@@ -156,4 +156,4 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d
118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch
641e425333d269833eed624edec0e29cba04bb0ff6570f6afda178a164fc2bb77456fa88957fe49f36000d3601ac00bb7ba089400977c1577e9c226e74baa3d6 musl.patch
1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch
-821cc275cd104b9e20a91d6081c8eb045bd7b78202582f502d1bac2525800d3d52c2d2e058d814c794c265b1143ccce6d6db6c33db013af99165478a38d0a528 CVE-2020-27153.patch"
+c8e65bdfb5edc8edd0d1f9a153a7d5b953f0c5700aa61645af251cd857117990090a27c0ee133056fc045d0f6b6a3c1aad60ff0dfd3707c2c5ba29c518fccca8 CVE-2020-27153.patch"
diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch
index 2caf9aa3e6..48a346fe2c 100644
--- a/main/bluez/CVE-2020-27153.patch
+++ b/main/bluez/CVE-2020-27153.patch
@@ -1,64 +1,18 @@
-From 1cd644db8c23a2f530ddb93cebed7dacc5f5721a Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Wed, 15 Jul 2020 18:25:37 -0700
-Subject: [PATCH] shared/att: Fix possible crash on disconnect
-
-If there are pending request while disconnecting they would be notified
-but clients may endup being freed in the proccess which will then be
-calling bt_att_cancel to cancal its requests causing the following
-trace:
-
-Invalid read of size 4
- at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
- by 0x1D247B: disc_att_send_op (att.c:417)
- by 0x1CCC17: queue_remove_all (queue.c:354)
- by 0x1D47B7: disconnect_cb (att.c:635)
- by 0x1E0707: watch_callback (io-glib.c:170)
- by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
- by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
- by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
- by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
- by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
- by 0x12BC3B: main (main.c:770)
- Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
- at 0x484A2E0: free (vg_replace_malloc.c:540)
- by 0x1CCC17: queue_remove_all (queue.c:354)
- by 0x1CCC83: queue_destroy (queue.c:73)
- by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
- by 0x16497B: batt_free (battery.c:77)
- by 0x16497B: batt_remove (battery.c:286)
- by 0x1A0013: service_remove (service.c:176)
- by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
- by 0x1A9B7B: gatt_service_removed (device.c:3805)
- by 0x1CC90B: queue_foreach (queue.c:220)
- by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
- by 0x1DE387: notify_service_changed (gatt-db.c:361)
- by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
- by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
- by 0x1D674F: discovery_op_complete (gatt-client.c:388)
- by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
- by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
- by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
- by 0x1D247B: disc_att_send_op (att.c:417)
- by 0x1CCC17: queue_remove_all (queue.c:354)
- by 0x1D47B7: disconnect_cb (att.c:635)
----
- src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 40 insertions(+), 6 deletions(-)
+Adapted from https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a
diff --git a/src/shared/att.c b/src/shared/att.c
-index ed3af2920..58f23dfcb 100644
+index 0ea6d55..b0fdb8e 100644
--- a/src/shared/att.c
+++ b/src/shared/att.c
-@@ -84,6 +84,7 @@ struct bt_att {
- struct queue *req_queue; /* Queued ATT protocol requests */
+@@ -62,6 +62,7 @@ struct bt_att {
struct queue *ind_queue; /* Queued ATT protocol indications */
+ struct att_send_op *pending_ind;
struct queue *write_queue; /* Queue of PDUs ready to send */
+ bool in_disc; /* Cleanup queues on disconnect_cb */
+ bool writer_active;
- bt_att_timeout_func_t timeout_callback;
- bt_att_destroy_func_t timeout_destroy;
-@@ -222,8 +223,10 @@ static void destroy_att_send_op(void *data)
+ struct queue *notify_list; /* List of registered callbacks */
+@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
free(op);
}
@@ -70,19 +24,19 @@ index ed3af2920..58f23dfcb 100644
if (op->destroy)
op->destroy(op->user_data);
-@@ -631,11 +634,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
- /* Dettach channel */
- queue_remove(att->chans, chan);
+@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ att->io = NULL;
+ att->fd = -1;
- /* Notify request callbacks */
- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
-
- if (chan->pending_req) {
- disc_att_send_op(chan->pending_req);
- chan->pending_req = NULL;
-@@ -654,6 +652,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ if (att->pending_req) {
+ disc_att_send_op(att->pending_req);
+ att->pending_req = NULL;
+@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
bt_att_ref(att);
@@ -98,8 +52,8 @@ index ed3af2920..58f23dfcb 100644
queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
bt_att_unregister_all(att);
-@@ -1574,6 +1581,30 @@ bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id)
- return true;
+@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
+ return op->id == id;
}
+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
@@ -128,9 +82,9 @@ index ed3af2920..58f23dfcb 100644
+
bool bt_att_cancel(struct bt_att *att, unsigned int id)
{
- const struct queue_entry *entry;
-@@ -1591,6 +1622,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
- return true;
+ struct att_send_op *op;
+@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ return true;
}
+ if (att->in_disc)