From e3d62ae80a600a45a1fcb0933c92d1c17202c5de Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 16:03:31 -0400 Subject: [PATCH] import bluez-5.63-1.el8 --- .bluez.metadata | 2 +- .gitignore | 2 +- ...fresh-adv_manager-for-non-LE-devices.patch | 51 -- ...d-Always-define-confdir-and-statedir.patch | 24 +- ...rfacesAdded-of-parents-objects-first.patch | 36 ++ ...king-buffers-stored-in-cstates-cache.patch | 468 ------------------ ...er-Fix-not-properly-checking-for-sec.patch | 115 ----- ...systemd-Add-more-filesystem-lockdown.patch | 23 +- SPECS/bluez.spec | 18 +- 9 files changed, 68 insertions(+), 671 deletions(-) delete mode 100644 SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch create mode 100644 SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch delete mode 100644 SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch delete mode 100644 SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch diff --git a/.bluez.metadata b/.bluez.metadata index ef5e331..11bca33 100644 --- a/.bluez.metadata +++ b/.bluez.metadata @@ -1 +1 @@ -a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz +c5137186e7cc60652eed44cff0067ef749e49eff SOURCES/bluez-5.63.tar.xz diff --git a/.gitignore b/.gitignore index f035c34..0ba7c30 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bluez-5.56.tar.xz +SOURCES/bluez-5.63.tar.xz diff --git a/SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch b/SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch deleted file mode 100644 index 46842c8..0000000 --- a/SOURCES/0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2c3bba7b38be03834162e34069156f1fd49f0528 Mon Sep 17 00:00:00 2001 -From: "antoine.belvire@laposte.net" -Date: Tue, 27 Mar 2018 20:30:26 +0200 -Subject: [PATCH] adapter: Don't refresh adv_manager for non-LE devices - -btd_adv_manager_refresh is called upon MGMT_SETTING_DISCOVERABLE setting change -but as only LE adapters have an adv_manager, this leads to segmentation fault -for non-LE devices: - -0 btd_adv_manager_refresh (manager=0x0) at src/advertising.c:1176 -1 0x0000556fe45fcb02 in settings_changed (settings=, - adapter=0x556fe53f7c70) at src/adapter.c:543 -2 new_settings_callback (index=, length=, - param=, user_data=0x556fe53f7c70) at src/adapter.c:573 -3 0x0000556fe462c278 in request_complete (mgmt=mgmt@entry=0x556fe53f20c0, - status=, opcode=opcode@entry=7, index=index@entry=0, - length=length@entry=4, param=0x556fe53eb5f9) at src/shared/mgmt.c:261 -4 0x0000556fe462cd9d in can_read_data (io=, - user_data=0x556fe53f20c0) at src/shared/mgmt.c:353 -5 0x0000556fe46396e3 in watch_callback (channel=, - cond=, user_data=) - at src/shared/io-glib.c:170 -6 0x00007fe351c980e5 in g_main_context_dispatch () - from /usr/lib64/libglib-2.0.so.0 -7 0x00007fe351c984b0 in ?? () from /usr/lib64/libglib-2.0.so.0 -8 0x00007fe351c987c2 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0 -9 0x0000556fe45abc75 in main (argc=, argv=) - at src/main.c:770 - -This commit prevents the call to btd_adv_manager_refresh for non-LE devices. ---- - src/adapter.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/adapter.c b/src/adapter.c -index 6b9222bcf..daccfdc19 100644 ---- a/src/adapter.c -+++ b/src/adapter.c -@@ -540,7 +540,8 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) - g_dbus_emit_property_changed(dbus_conn, adapter->path, - ADAPTER_INTERFACE, "Discoverable"); - store_adapter_info(adapter); -- btd_adv_manager_refresh(adapter->adv_manager); -+ if (adapter->supported_settings & MGMT_SETTING_LE) -+ btd_adv_manager_refresh(adapter->adv_manager); - } - - if (changed_mask & MGMT_SETTING_BONDABLE) { --- -2.17.0 - diff --git a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch index affb28a..b1e56a5 100644 --- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch +++ b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch @@ -1,25 +1,19 @@ -From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Mon, 8 Jun 2020 20:56:46 +0530 -Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir - -From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001 +From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 20 Sep 2017 12:49:10 +0200 - -build: Always define confdir and statedir +Subject: [PATCH 1/4] build: Always define confdir and statedir As we will need those paths to lock down on them. --- - Makefile.am | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) + Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am -index 84c9712c9..6e77ed91e 100644 +index 9d25a815b..ac88c12e0 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -31,14 +31,15 @@ pkginclude_HEADERS = - AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) +@@ -28,14 +28,14 @@ + $(LIBEDATASERVER_CFLAGS) $(ell_cflags) AM_LDFLAGS = $(MISC_LDFLAGS) +confdir = $(sysconfdir)/bluetooth @@ -31,11 +25,11 @@ index 84c9712c9..6e77ed91e 100644 -confdir = $(sysconfdir)/bluetooth conf_DATA = - +- -statedir = $(localstatedir)/lib/bluetooth state_DATA = endif -- -2.21.1 +2.21.0 diff --git a/SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch b/SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch new file mode 100644 index 0000000..c846268 --- /dev/null +++ b/SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch @@ -0,0 +1,36 @@ +From 4c3eedcb96bd4795dd5c25c688005fc12f364aeb Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Wed, 20 Apr 2022 12:19:05 +0530 +Subject: [PATCH BlueZ] gdbus: Emit InterfacesAdded of parents objects first + +This makes InterfacesAdded respect the object hierarchy in case its +parent has pending interfaces to be added. + +Fixes: #272 +Fixes: #284 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857 +Fixes: https://bugs.archlinux.org/task/57464 +--- + gdbus/object.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/gdbus/object.c b/gdbus/object.c +index 50a8b4ff1..f7c8c2be5 100644 +--- a/gdbus/object.c ++++ b/gdbus/object.c +@@ -551,6 +551,12 @@ static void emit_interfaces_added(struct generic_data *data) + if (root == NULL || data == root) + return; + ++ /* Emit InterfacesAdded on the parent first so it appears first on the ++ * bus as child objects may point to it. ++ */ ++ if (data->parent && data->parent->added) ++ emit_interfaces_added(data->parent); ++ + signal = dbus_message_new_signal(root->path, + DBUS_INTERFACE_OBJECT_MANAGER, + "InterfacesAdded"); +-- +2.26.2 + diff --git a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch b/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch deleted file mode 100644 index 11ce041..0000000 --- a/SOURCES/0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch +++ /dev/null @@ -1,468 +0,0 @@ -From 4e6a2402ed4f46ea026ad0929fbc14faecf3a475 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Wed, 1 Dec 2021 12:18:24 +0530 -Subject: [PATCH BlueZ] sdpd: Fix leaking buffers stored in cstates cache - -commit e79417ed7185b150a056d4eb3a1ab528b91d2fc0 -Author: Luiz Augusto von Dentz -Date: Thu Jul 15 11:01:20 2021 -0700 - - sdpd: Fix leaking buffers stored in cstates cache - - These buffer shall only be keep in cache for as long as they are - needed so this would cleanup any client cstates in the following - conditions: - - - There is no cstate on the response - - No continuation can be found for cstate - - Different request opcode - - Respond with an error - - Client disconnect - - Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq ---- - src/sdpd-request.c | 170 ++++++++++++++++++++++++++++++++------------- - src/sdpd-server.c | 20 +++--- - src/sdpd.h | 3 + - unit/test-sdp.c | 2 +- - 4 files changed, 135 insertions(+), 60 deletions(-) - -diff --git a/src/sdpd-request.c b/src/sdpd-request.c -index 033d1e5bf..c8f5a2c72 100644 ---- a/src/sdpd-request.c -+++ b/src/sdpd-request.c -@@ -42,48 +42,78 @@ typedef struct { - - #define MIN(x, y) ((x) < (y)) ? (x): (y) - --typedef struct _sdp_cstate_list sdp_cstate_list_t; -+typedef struct sdp_cont_info sdp_cont_info_t; - --struct _sdp_cstate_list { -- sdp_cstate_list_t *next; -+struct sdp_cont_info { -+ int sock; -+ uint8_t opcode; - uint32_t timestamp; - sdp_buf_t buf; - }; - --static sdp_cstate_list_t *cstates; -+static sdp_list_t *cstates; - --/* FIXME: should probably remove it when it's found */ --static sdp_buf_t *sdp_get_cached_rsp(sdp_cont_state_t *cstate) -+static int cstate_match(const void *data, const void *user_data) - { -- sdp_cstate_list_t *p; -+ const sdp_cont_info_t *cinfo = data; -+ const sdp_cont_state_t *cstate = user_data; - -- for (p = cstates; p; p = p->next) { -- /* Check timestamp */ -- if (p->timestamp != cstate->timestamp) -- continue; -+ /* Check timestamp */ -+ return cinfo->timestamp - cstate->timestamp; -+} -+ -+static void sdp_cont_info_free(sdp_cont_info_t *cinfo) -+{ -+ if (!cinfo) -+ return; -+ -+ cstates = sdp_list_remove(cstates, cinfo); -+ free(cinfo->buf.data); -+ free(cinfo); -+} -+ -+static sdp_cont_info_t *sdp_get_cont_info(sdp_req_t *req, -+ sdp_cont_state_t *cstate) -+{ -+ sdp_list_t *list; -+ -+ list = sdp_list_find(cstates, cstate, cstate_match); -+ if (list) { -+ sdp_cont_info_t *cinfo = list->data; - -- /* Check if requesting more than available */ -- if (cstate->cStateValue.maxBytesSent < p->buf.data_size) -- return &p->buf; -+ if (cinfo->opcode == req->opcode) -+ return cinfo; -+ -+ /* Cleanup continuation if the opcode doesn't match since its -+ * response buffer shall only be valid for the original requests -+ */ -+ sdp_cont_info_free(cinfo); -+ return NULL; - } - -- return 0; -+ /* Cleanup cstates if no continuation info could be found */ -+ sdp_cstate_cleanup(req->sock); -+ -+ return NULL; - } - --static uint32_t sdp_cstate_alloc_buf(sdp_buf_t *buf) -+static uint32_t sdp_cstate_alloc_buf(sdp_req_t *req, sdp_buf_t *buf) - { -- sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t)); -+ sdp_cont_info_t *cinfo = malloc(sizeof(sdp_cont_info_t)); - uint8_t *data = malloc(buf->data_size); - - memcpy(data, buf->data, buf->data_size); -- memset((char *)cstate, 0, sizeof(sdp_cstate_list_t)); -- cstate->buf.data = data; -- cstate->buf.data_size = buf->data_size; -- cstate->buf.buf_size = buf->data_size; -- cstate->timestamp = sdp_get_time(); -- cstate->next = cstates; -- cstates = cstate; -- return cstate->timestamp; -+ memset(cinfo, 0, sizeof(sdp_cont_info_t)); -+ cinfo->buf.data = data; -+ cinfo->buf.data_size = buf->data_size; -+ cinfo->buf.buf_size = buf->data_size; -+ cinfo->timestamp = sdp_get_time(); -+ cinfo->sock = req->sock; -+ cinfo->opcode = req->opcode; -+ -+ cstates = sdp_list_append(cstates, cinfo); -+ -+ return cinfo->timestamp; - } - - /* Additional values for checking datatype (not in spec) */ -@@ -274,14 +304,16 @@ static int sdp_set_cstate_pdu(sdp_buf_t *buf, sdp_cont_state_t *cstate) - return length; - } - --static int sdp_cstate_get(uint8_t *buffer, size_t len, -- sdp_cont_state_t **cstate) -+static int sdp_cstate_get(sdp_req_t *req, uint8_t *buffer, size_t len, -+ sdp_cont_state_t **cstate, sdp_cont_info_t **cinfo) - { - uint8_t cStateSize = *buffer; - - SDPDBG("Continuation State size : %d", cStateSize); - - if (cStateSize == 0) { -+ /* Cleanup cstates if request doesn't contain a cstate */ -+ sdp_cstate_cleanup(req->sock); - *cstate = NULL; - return 0; - } -@@ -306,6 +338,8 @@ static int sdp_cstate_get(uint8_t *buffer, size_t len, - SDPDBG("Cstate TS : 0x%x", (*cstate)->timestamp); - SDPDBG("Bytes sent : %d", (*cstate)->cStateValue.maxBytesSent); - -+ *cinfo = sdp_get_cont_info(req, *cstate); -+ - return 0; - } - -@@ -360,6 +394,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - uint16_t expected, actual, rsp_count = 0; - uint8_t dtd; - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - uint8_t *pCacheBuffer = NULL; - int handleSize = 0; - uint32_t cStateId = 0; -@@ -399,9 +434,9 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - /* - * Check if continuation state exists, if yes attempt -- * to get rsp remainder from cache, else send error -+ * to get rsp remainder from continuation info, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -451,7 +486,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - if (rsp_count > actual) { - /* cache the rsp and generate a continuation state */ -- cStateId = sdp_cstate_alloc_buf(buf); -+ cStateId = sdp_cstate_alloc_buf(req, buf); - /* - * subtract handleSize since we now send only - * a subset of handles -@@ -459,6 +494,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - buf->data_size -= handleSize; - } else { - /* NULL continuation state */ -+ sdp_cont_info_free(cinfo); - sdp_set_cstate_pdu(buf, NULL); - } - } -@@ -468,13 +504,15 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - short lastIndex = 0; - - if (cstate) { -- /* -- * Get the previous sdp_cont_state_t and obtain -- * the cached rsp -- */ -- sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); -- if (pCache) { -- pCacheBuffer = pCache->data; -+ if (cinfo) { -+ /* Check if requesting more than available */ -+ if (cstate->cStateValue.maxBytesSent >= -+ cinfo->buf.data_size) { -+ status = SDP_INVALID_CSTATE; -+ goto done; -+ } -+ -+ pCacheBuffer = cinfo->buf.data; - /* get the rsp_count from the cached buffer */ - rsp_count = get_be16(pCacheBuffer); - -@@ -518,6 +556,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - if (i == rsp_count) { - /* set "null" continuationState */ - sdp_set_cstate_pdu(buf, NULL); -+ sdp_cont_info_free(cinfo); - } else { - /* - * there's more: set lastIndexSent to -@@ -540,6 +579,7 @@ static int service_search_req(sdp_req_t *req, sdp_buf_t *buf) - - done: - free(cstate); -+ - if (pattern) - sdp_list_free(pattern, free); - -@@ -619,15 +659,21 @@ static int extract_attrs(sdp_record_t *rec, sdp_list_t *seq, sdp_buf_t *buf) - } - - /* Build cstate response */ --static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, -- uint16_t max) -+static int sdp_cstate_rsp(sdp_cont_info_t *cinfo, sdp_cont_state_t *cstate, -+ sdp_buf_t *buf, uint16_t max) - { -- /* continuation State exists -> get from cache */ -- sdp_buf_t *cache = sdp_get_cached_rsp(cstate); -+ sdp_buf_t *cache; - uint16_t sent; - -- if (!cache) -+ if (!cinfo) -+ return 0; -+ -+ if (cstate->cStateValue.maxBytesSent >= cinfo->buf.data_size) { -+ sdp_cont_info_free(cinfo); - return 0; -+ } -+ -+ cache = &cinfo->buf; - - sent = MIN(max, cache->data_size - cstate->cStateValue.maxBytesSent); - memcpy(buf->data, cache->data + cstate->cStateValue.maxBytesSent, sent); -@@ -637,8 +683,10 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, - SDPDBG("Response size : %d sending now : %d bytes sent so far : %d", - cache->data_size, sent, cstate->cStateValue.maxBytesSent); - -- if (cstate->cStateValue.maxBytesSent == cache->data_size) -+ if (cstate->cStateValue.maxBytesSent == cache->data_size) { -+ sdp_cont_info_free(cinfo); - return sdp_set_cstate_pdu(buf, NULL); -+ } - - return sdp_set_cstate_pdu(buf, cstate); - } -@@ -652,6 +700,7 @@ static int sdp_cstate_rsp(sdp_cont_state_t *cstate, sdp_buf_t *buf, - static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - { - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - short cstate_size = 0; - sdp_list_t *seq = NULL; - uint8_t dtd = 0; -@@ -708,7 +757,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - * if continuation state exists, attempt - * to get rsp remainder from cache, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -737,7 +786,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - buf->buf_size -= sizeof(uint16_t); - - if (cstate) { -- cstate_size = sdp_cstate_rsp(cstate, buf, max_rsp_size); -+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max_rsp_size); - if (!cstate_size) { - status = SDP_INVALID_CSTATE; - error("NULL cache buffer and non-NULL continuation state"); -@@ -749,7 +798,7 @@ static int service_attr_req(sdp_req_t *req, sdp_buf_t *buf) - sdp_cont_state_t newState; - - memset((char *)&newState, 0, sizeof(sdp_cont_state_t)); -- newState.timestamp = sdp_cstate_alloc_buf(buf); -+ newState.timestamp = sdp_cstate_alloc_buf(req, buf); - /* - * Reset the buffer size to the maximum expected and - * set the sdp_cont_state_t -@@ -793,6 +842,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - int scanned, rsp_count = 0; - sdp_list_t *pattern = NULL, *seq = NULL, *svcList; - sdp_cont_state_t *cstate = NULL; -+ sdp_cont_info_t *cinfo = NULL; - short cstate_size = 0; - uint8_t dtd = 0; - sdp_buf_t tmpbuf; -@@ -852,7 +902,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - * if continuation state exists attempt - * to get rsp remainder from cache, else send error - */ -- if (sdp_cstate_get(pdata, data_left, &cstate) < 0) { -+ if (sdp_cstate_get(req, pdata, data_left, &cstate, &cinfo) < 0) { - status = SDP_INVALID_SYNTAX; - goto done; - } -@@ -906,7 +956,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - sdp_cont_state_t newState; - - memset((char *)&newState, 0, sizeof(sdp_cont_state_t)); -- newState.timestamp = sdp_cstate_alloc_buf(buf); -+ newState.timestamp = sdp_cstate_alloc_buf(req, buf); - /* - * Reset the buffer size to the maximum expected and - * set the sdp_cont_state_t -@@ -917,7 +967,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - } else - cstate_size = sdp_set_cstate_pdu(buf, NULL); - } else { -- cstate_size = sdp_cstate_rsp(cstate, buf, max); -+ cstate_size = sdp_cstate_rsp(cinfo, cstate, buf, max); - if (!cstate_size) { - status = SDP_INVALID_CSTATE; - SDPDBG("Non-null continuation state, but null cache buffer"); -@@ -974,6 +1024,9 @@ static void process_request(sdp_req_t *req) - status = SDP_INVALID_PDU_SIZE; - goto send_rsp; - } -+ -+ req->opcode = reqhdr->pdu_id; -+ - switch (reqhdr->pdu_id) { - case SDP_SVC_SEARCH_REQ: - SDPDBG("Got a svc srch req"); -@@ -1020,6 +1073,8 @@ static void process_request(sdp_req_t *req) - - send_rsp: - if (status) { -+ /* Cleanup cstates on error */ -+ sdp_cstate_cleanup(req->sock); - rsphdr->pdu_id = SDP_ERROR_RSP; - put_be16(status, rsp.data); - rsp.data_size = sizeof(uint16_t); -@@ -1108,3 +1163,20 @@ void handle_request(int sk, uint8_t *data, int len) - - process_request(&req); - } -+ -+void sdp_cstate_cleanup(int sock) -+{ -+ sdp_list_t *list; -+ -+ /* Remove any cinfo for the client */ -+ for (list = cstates; list;) { -+ sdp_cont_info_t *cinfo = list->data; -+ -+ list = list->next; -+ -+ if (cinfo->sock != sock) -+ continue; -+ -+ sdp_cont_info_free(cinfo); -+ } -+} -diff --git a/src/sdpd-server.c b/src/sdpd-server.c -index dfd8b1f00..66ee7ba14 100644 ---- a/src/sdpd-server.c -+++ b/src/sdpd-server.c -@@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d - - sk = g_io_channel_unix_get_fd(chan); - -- if (cond & (G_IO_HUP | G_IO_ERR)) { -- sdp_svcdb_collect_all(sk); -- return FALSE; -- } -+ if (cond & (G_IO_HUP | G_IO_ERR)) -+ goto cleanup; - - len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); -- if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) { -- sdp_svcdb_collect_all(sk); -- return FALSE; -- } -+ if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) -+ goto cleanup; - - size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen); - buf = malloc(size); -@@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d - * inside handle_request() in order to produce ErrorResponse. - */ - if (len <= 0) { -- sdp_svcdb_collect_all(sk); - free(buf); -- return FALSE; -+ goto cleanup; - } - - handle_request(sk, buf, len); - - return TRUE; -+ -+cleanup: -+ sdp_svcdb_collect_all(sk); -+ sdp_cstate_cleanup(sk); -+ return FALSE; - } - - static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data) -diff --git a/src/sdpd.h b/src/sdpd.h -index 257411f03..4316aff67 100644 ---- a/src/sdpd.h -+++ b/src/sdpd.h -@@ -27,8 +27,11 @@ typedef struct request { - int flags; - uint8_t *buf; - int len; -+ uint8_t opcode; - } sdp_req_t; - -+void sdp_cstate_cleanup(int sock); -+ - void handle_internal_request(int sk, int mtu, void *data, int len); - void handle_request(int sk, uint8_t *data, int len); - -diff --git a/unit/test-sdp.c b/unit/test-sdp.c -index d3a885f19..8f95fcb71 100644 ---- a/unit/test-sdp.c -+++ b/unit/test-sdp.c -@@ -235,7 +235,7 @@ static gboolean client_handler(GIOChannel *channel, GIOCondition cond, - tester_monitor('>', 0x0000, 0x0001, buf, len); - - g_assert(len > 0); -- g_assert((size_t) len == rsp_pdu->raw_size + rsp_pdu->cont_len); -+ g_assert_cmpuint(len, ==, rsp_pdu->raw_size + rsp_pdu->cont_len); - - g_assert(memcmp(buf, rsp_pdu->raw_data, rsp_pdu->raw_size) == 0); - --- -2.26.2 - diff --git a/SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch b/SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch deleted file mode 100644 index a8f61c4..0000000 --- a/SOURCES/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch +++ /dev/null @@ -1,115 +0,0 @@ -From d22177efb6f17ed281013cdfa4976d218718d5b6 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Mon, 31 May 2021 12:29:01 +0530 -Subject: [PATCH BlueZ] shared/gatt-server: Fix not properly checking for - secure flags - -commit ef7316b34cf3a568694bdb0e4e83af17804dff9e (HEAD) -Author: Luiz Augusto von Dentz -Date: Tue Mar 2 11:38:33 2021 -0800 - -shared/gatt-server: Fix not properly checking for secure flags - -When passing the mask to check_permissions all valid permissions for -the operation must be set including BT_ATT_PERM_SECURE flags. - -(cherry picked from commit 00da0fb4972cf59e1c075f313da81ea549cb8738) -Signed-off-by: Gopal Tiwari ---- - src/shared/att-types.h | 8 ++++++++ - src/shared/gatt-server.c | 25 +++++++------------------ - 2 files changed, 15 insertions(+), 18 deletions(-) - -diff --git a/src/shared/att-types.h b/src/shared/att-types.h -index 7108b4e94..3adc05d9e 100644 ---- a/src/shared/att-types.h -+++ b/src/shared/att-types.h -@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { - #define BT_ATT_PERM_WRITE_SECURE 0x0200 - #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ - BT_ATT_PERM_WRITE_SECURE) -+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ -+ BT_ATT_PERM_READ_AUTHEN | \ -+ BT_ATT_PERM_READ_ENCRYPT | \ -+ BT_ATT_PERM_READ_SECURE) -+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ -+ BT_ATT_PERM_WRITE_AUTHEN | \ -+ BT_ATT_PERM_WRITE_ENCRYPT | \ -+ BT_ATT_PERM_WRITE_SECURE) - - /* GATT Characteristic Properties Bitfield values */ - #define BT_GATT_CHRC_PROP_BROADCAST 0x01 -diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c -index b5f7de7dc..970c35f94 100644 ---- a/src/shared/gatt-server.c -+++ b/src/shared/gatt-server.c -@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) - return; - } - -- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | -- BT_ATT_PERM_READ_AUTHEN | -- BT_ATT_PERM_READ_ENCRYPT); -+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); - if (ecode) - goto error; - -@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, - (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", - handle); - -- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | -- BT_ATT_PERM_WRITE_AUTHEN | -- BT_ATT_PERM_WRITE_ENCRYPT); -+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); - if (ecode) - goto error; - -@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, - opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", - handle); - -- ecode = check_permissions(server, attr, BT_ATT_PERM_READ | -- BT_ATT_PERM_READ_AUTHEN | -- BT_ATT_PERM_READ_ENCRYPT); -+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); - if (ecode) - goto error; - -@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, - goto error; - } - -- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | -- BT_ATT_PERM_READ_AUTHEN | -- BT_ATT_PERM_READ_ENCRYPT); -+ ecode = check_permissions(data->server, next_attr, -+ BT_ATT_PERM_READ_MASK); - if (ecode) - goto error; - -@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, - goto error; - } - -- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | -- BT_ATT_PERM_READ_AUTHEN | -- BT_ATT_PERM_READ_ENCRYPT); -+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); - if (ecode) - goto error; - -@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, - util_debug(server->debug_callback, server->debug_data, - "Prep Write Req - handle: 0x%04x", handle); - -- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | -- BT_ATT_PERM_WRITE_AUTHEN | -- BT_ATT_PERM_WRITE_ENCRYPT); -+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); - if (ecode) - goto error; - --- -2.26.2 - diff --git a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch index 139fb62..37a91e4 100644 --- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch +++ b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch @@ -1,34 +1,29 @@ -From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Mon, 8 Jun 2020 19:55:39 +0530 -Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown - -From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001 +From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:37:11 +0200 - -systemd: Add more filesystem lockdown +Subject: [PATCH 3/4] systemd: Add more filesystem lockdown We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories. --- - Makefile.am | 2 ++ + Makefile.am | 3 +++ src/bluetooth.service.in | 4 ++++ - 2 files changed, 6 insertions(+) + 2 files changed, 7 insertions(+) diff --git a/Makefile.am b/Makefile.am -index cdd2fd8fb..0af1a8c45 100644 +index ac88c12e0..0a6d09847 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \ +@@ -617,6 +617,9 @@ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ ++ -e 's,@libexecdir\@,$(libexecdir),g' \ + -e 's,@statedir\@,$(statedir),g' \ + -e 's,@confdir\@,$(confdir),g' \ < $< > $@ - %.service: %.service.in Makefile + if RUN_RST2MAN diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 7c2f60bb4..4daedef2a 100644 --- a/src/bluetooth.service.in @@ -45,5 +40,5 @@ index 7c2f60bb4..4daedef2a 100644 # Privilege escalation NoNewPrivileges=true -- -2.21.1 +2.21.0 diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec index 49a9776..62cb5b9 100644 --- a/SPECS/bluez.spec +++ b/SPECS/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities -Version: 5.56 -Release: 3%{?dist} +Version: 5.63 +Release: 1%{?dist} License: GPLv2+ URL: http://www.bluez.org/ @@ -29,9 +29,10 @@ Patch20: 0001-build-Always-define-confdir-and-statedir.patch Patch21: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch Patch22: 0003-systemd-Add-more-filesystem-lockdown.patch Patch23: 0004-systemd-More-lockdown.patch +Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1567622 -Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch +#Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch #Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch #Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch @@ -44,9 +45,9 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch #Patch30: 0001-input-hog-Attempt-to-set-security-level-if-not-bonde.patch # fixing https://bugzilla.redhat.com/show_bug.cgi?id=1965057 -Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch +#Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch -Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch +#Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch BuildRequires: git-core BuildRequires: dbus-devel >= 1.6 @@ -61,6 +62,7 @@ BuildRequires: systemd-devel BuildRequires: cups-devel # For autoreconf BuildRequires: libtool automake autoconf +BuildRequires: python3-docutils Requires: dbus >= 1.6 @@ -235,6 +237,7 @@ make check %{_bindir}/rctest %{_datadir}/zsh/site-functions/_bluetoothctl %{_mandir}/man1/btattach.1.gz +%{_mandir}/man1/btmon.1.* %{_mandir}/man1/ciptool.1.gz %{_mandir}/man1/hcitool.1.gz %{_mandir}/man1/rfcomm.1.gz @@ -280,8 +283,11 @@ make check %{_userunitdir}/obex.service %changelog +* Tue May 17 2022 Gopal Tiwari - 5.63-1 ++ bluez-5.63-1 +- Fixing (#) -* Wed Dec 13 2021 Gopal Tiwari - 5.56-3 +* Mon Dec 13 2021 Gopal Tiwari - 5.56-3 + bluez-5.56-3 - Fixing (#2027434) - Fixing CVE-2021-41229