Import from CS git
This commit is contained in:
parent
345324ac6b
commit
9c5db9946b
@ -0,0 +1,54 @@
|
||||
From: David Marlin <dmarlin@redhat.com>
|
||||
|
||||
Subject: avrcp: Fix crash while handling unsupported events
|
||||
|
||||
Resolves: RHEL-35371
|
||||
Resolves: RHEL-35492
|
||||
|
||||
Fixes CVE-2023-27349
|
||||
Fixes CVE-2023-51589
|
||||
|
||||
commit f54299a850676d92c3dafd83e9174fcfe420ccc9
|
||||
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Wed Mar 22 11:34:24 2023 -0700
|
||||
|
||||
avrcp: Fix crash while handling unsupported events
|
||||
|
||||
The following crash can be observed if the remote peer send and
|
||||
unsupported event:
|
||||
|
||||
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
|
||||
at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
|
||||
WRITE of size 1 at 0x60b000148f11 thread T0
|
||||
#0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
|
||||
#1 0x559644536c22 in control_response profiles/audio/avctp.c:939
|
||||
#2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
|
||||
#3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
|
||||
#4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
|
||||
#5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
|
||||
#6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
|
||||
#7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
|
||||
#8 0x5596445bb963 in main src/main.c:1289
|
||||
#9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
|
||||
#11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
|
||||
|
||||
Signed-off-by: David Marlin <dmarlin@redhat.com>
|
||||
|
||||
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
|
||||
index 80f34c7a77a17ddad89abe62e8a7a028c6fecf3c..dda9a303fb711ca009258ba671dc47b7fdd15f94 100644
|
||||
--- a/profiles/audio/avrcp.c
|
||||
+++ b/profiles/audio/avrcp.c
|
||||
@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,
|
||||
case AVRCP_EVENT_UIDS_CHANGED:
|
||||
avrcp_uids_changed(session, pdu);
|
||||
break;
|
||||
+ default:
|
||||
+ if (event > AVRCP_EVENT_LAST) {
|
||||
+ warn("Unsupported event: %u", event);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
|
||||
session->registered_events |= (1 << event);
|
||||
@ -0,0 +1,73 @@
|
||||
From: David Marlin <dmarlin@redhat.com>
|
||||
|
||||
Subject: pbap: Fix not checking Primary/Secundary Counter length
|
||||
|
||||
Resolves: RHEL-35501
|
||||
Resolves: RHEL-35504
|
||||
|
||||
CVE: CVE-2023-50230
|
||||
CVE: CVE-2023-50229
|
||||
|
||||
commit 5ab5352531a9cc7058cce569607f3a6831464443
|
||||
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Tue Sep 19 12:14:01 2023 -0700
|
||||
|
||||
pbap: Fix not checking Primary/Secundary Counter length
|
||||
|
||||
Primary/Secundary Counters are supposed to be 16 bytes values, if the
|
||||
server has implemented them incorrectly it may lead to the following
|
||||
crash:
|
||||
|
||||
=================================================================
|
||||
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
|
||||
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
|
||||
|
||||
READ of size 48 at 0x607000001878 thread T0
|
||||
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
|
||||
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
|
||||
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
|
||||
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
|
||||
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
|
||||
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
|
||||
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
|
||||
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
|
||||
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
|
||||
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
|
||||
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
|
||||
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
|
||||
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
|
||||
#13 0x564df6977d41 in main obexd/src/main.c:307
|
||||
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
|
||||
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
|
||||
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
|
||||
|
||||
allocated by thread T0 here:
|
||||
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
|
||||
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
|
||||
|
||||
Signed-off-by: David Marlin <dmarlin@redhat.com>
|
||||
|
||||
diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
|
||||
index 1ed8c68eccd00097a8539aaa9ede9feed9b6d060..2d2aa950898c38984d544e7708610d4c2af43b59 100644
|
||||
--- a/obexd/client/pbap.c
|
||||
+++ b/obexd/client/pbap.c
|
||||
@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
|
||||
data = value;
|
||||
}
|
||||
|
||||
- if (memcmp(pbap->primary, data, len)) {
|
||||
+ if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
|
||||
memcpy(pbap->primary, data, len);
|
||||
g_dbus_emit_property_changed(conn,
|
||||
obc_session_get_path(pbap->session),
|
||||
@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
|
||||
data = value;
|
||||
}
|
||||
|
||||
- if (memcmp(pbap->secondary, data, len)) {
|
||||
+ if (len == sizeof(pbap->secondary) &&
|
||||
+ memcmp(pbap->secondary, data, len)) {
|
||||
memcpy(pbap->secondary, data, len);
|
||||
g_dbus_emit_property_changed(conn,
|
||||
obc_session_get_path(pbap->session),
|
||||
@ -1,7 +1,7 @@
|
||||
Name: bluez
|
||||
Summary: Bluetooth utilities
|
||||
Version: 5.63
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://www.bluez.org/
|
||||
|
||||
@ -51,6 +51,9 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
|
||||
|
||||
Patch40: 0001-Change-default-of-ClassicBondedOnly.patch
|
||||
|
||||
Patch50: 0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
|
||||
Patch51: 0001-avrcp-Fix-crash-while-handling-unsupported-events.patch
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: dbus-devel >= 1.6
|
||||
BuildRequires: glib2-devel
|
||||
@ -285,6 +288,20 @@ make check
|
||||
%{_userunitdir}/obex.service
|
||||
|
||||
%changelog
|
||||
* Mon Dec 09 2024 David Marlin <dmarlin@redhat.com> - 5.63-5
|
||||
+ bluez-5.63-5
|
||||
- Resolves: RHEL-35371
|
||||
- Fixing CVE-2023-27349
|
||||
- Resolves: RHEL-35492
|
||||
- Fixing CVE-2023-51589
|
||||
|
||||
* Mon Aug 05 2024 David Marlin <dmarlin@redhat.com> - 5.63-4
|
||||
+ bluez-5.63-4
|
||||
- Resolves: RHEL-35501
|
||||
- Fixing CVE-2023-50230
|
||||
- Resolves: RHEL-35504
|
||||
- Fixing CVE-2023-50229
|
||||
|
||||
* Thu Jun 06 2024 David Marlin <dmarlin@redhat.com> - 5.63-3
|
||||
+ bluez-5.63-3
|
||||
- Add back the tests for OSCI.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user