Fix not checking Primary/Secundary Counter length.

Resolves: RHEL-35501 Resolves: RHEL-35504 Fixes CVE-2023-50230 Fixes CVE-2023-50229 commit 5ab5352531a9cc7058cce569607f3a6831464443 Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Date: Tue Sep 19 12:14:01 2023 -0700 pbap: Fix not checking Primary/Secundary Counter length Signed-off-by: David Marlin <dmarlin@redhat.com>
2024-08-09 11:24:11 -05:00 · 2024-08-09 11:24:11 -05:00 · d8bce530a3
commit d8bce530a3
parent b8d0f7d8d5
2 changed files with 83 additions and 1 deletions
--- a/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
+++ b/0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
@ -0,0 +1,73 @@
+From: David Marlin <dmarlin@redhat.com>
+
+Subject: pbap: Fix not checking Primary/Secundary Counter length
+
+Resolves: RHEL-35501
+Resolves: RHEL-35504
+
+CVE: CVE-2023-50230
+CVE: CVE-2023-50229
+
+commit 5ab5352531a9cc7058cce569607f3a6831464443
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date:   Tue Sep 19 12:14:01 2023 -0700
+
+    pbap: Fix not checking Primary/Secundary Counter length
+    
+    Primary/Secundary Counters are supposed to be 16 bytes values, if the
+    server has implemented them incorrectly it may lead to the following
+    crash:
+    
+    =================================================================
+    ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+    0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+    
+     READ of size 48 at 0x607000001878 thread T0
+         #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
+         #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
+         #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
+         #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
+         #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
+         #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
+         #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
+         #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
+         #8 0x564df698b9ee in handle_response gobex/gobex.c:1140
+         #9 0x564df698cdea in incoming_data gobex/gobex.c:1385
+         #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+         #11 0x7f95a13526c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+         #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+         #13 0x564df6977d41 in main obexd/src/main.c:307
+         #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+         #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
+         #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
+     0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
+    
+     allocated by thread T0 here:
+         #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+         #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
+
+Signed-off-by: David Marlin <dmarlin@redhat.com>
+
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
+index 1ed8c68eccd00097a8539aaa9ede9feed9b6d060..2d2aa950898c38984d544e7708610d4c2af43b59 100644
+--- a/obexd/client/pbap.c
+++ b/obexd/client/pbap.c
+@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+ 
+-	if (memcmp(pbap->primary, data, len)) {
+	if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
+ 		memcpy(pbap->primary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),
+@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+ 
+-	if (memcmp(pbap->secondary, data, len)) {
+	if (len == sizeof(pbap->secondary) &&
+			memcmp(pbap->secondary, data, len)) {
+ 		memcpy(pbap->secondary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),
--- a/bluez.spec
+++ b/bluez.spec
@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
 Version: 5.63
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/

@ -51,6 +51,8 @@ Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch

 Patch40: 0001-Change-default-of-ClassicBondedOnly.patch

+Patch50: 0001-pbap-Fix-not-checking-Primary_Secundary-Counter-lengt.patch
+
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@ -285,6 +287,13 @@ make check
 %{_userunitdir}/obex.service

 %changelog
+* Mon Aug 05 2024 David Marlin <dmarlin@redhat.com> - 5.63-4
+ bluez-5.63-4
+- Resolves: RHEL-35501
+- Fixing CVE-2023-50230
+- Resolves: RHEL-35504
+- Fixing CVE-2023-50229
+
 * Thu Jun 06 2024 David Marlin <dmarlin@redhat.com> - 5.63-3
 + bluez-5.63-3
 - Add back the tests for OSCI.