Compare commits

..

No commits in common. "88204f929628e652781bb06bf9823086100727e9" and "1393fdf8736b3a2e27fc52031b1ae63995ef7cdf" have entirely different histories.

7 changed files with 344 additions and 145 deletions

View File

@ -1 +1 @@
a862b9ddc039f34f7135bbee3c3e80040e82e046 SOURCES/bluez-5.56.tar.xz
75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/bluez-5.56.tar.xz
SOURCES/bluez-5.52.tar.xz

View File

@ -0,0 +1,37 @@
From 89fb68570e72a854f10d50bec99112d294597483 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Fri, 24 Apr 2020 16:06:37 +0530
Subject: [PATCH BlueZ 1/2] HOGP must only accept data from bonded devices.
commit 8cdbd3b09f29da29374e2f83369df24228da0ad1
Author: Alain Michaud <alainm@chromium.org>
Date: Tue Mar 10 02:35:16 2020 +0000
HOGP must only accept data from bonded devices.
HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
---
profiles/input/hog.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 23c9c1529..f8a82bc20 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
return -EINVAL;
}
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+ return -ECONNREFUSED;
+
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
--
2.21.1

View File

@ -0,0 +1,150 @@
From b61877eb3e05b9b9dff36b4eccc46c539634cf15 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Thu, 22 Oct 2020 11:23:00 +0530
Subject: [PATCH BlueZ] shared/att: Fix possible crash on disconnect
commit 1cd644db8c23a2f530ddb93cebed7dacc5f5721a
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Jul 15 18:25:37 2020 -0700
shared/att: Fix possible crash on disconnect
If there are pending request while disconnecting they would be notified
but clients may endup being freed in the proccess which will then be
calling bt_att_cancel to cancal its requests causing the following
trace:
Invalid read of size 4
at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
by 0x1D247B: disc_att_send_op (att.c:417)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1D47B7: disconnect_cb (att.c:635)
by 0x1E0707: watch_callback (io-glib.c:170)
by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
by 0x12BC3B: main (main.c:770)
Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
at 0x484A2E0: free (vg_replace_malloc.c:540)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1CCC83: queue_destroy (queue.c:73)
by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
by 0x16497B: batt_free (battery.c:77)
by 0x16497B: batt_remove (battery.c:286)
by 0x1A0013: service_remove (service.c:176)
by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
by 0x1A9B7B: gatt_service_removed (device.c:3805)
by 0x1CC90B: queue_foreach (queue.c:220)
by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
by 0x1DE387: notify_service_changed (gatt-db.c:361)
by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
by 0x1D674F: discovery_op_complete (gatt-client.c:388)
by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
by 0x1D247B: disc_att_send_op (att.c:417)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1D47B7: disconnect_cb (att.c:635)
---
src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
1 file changed, 40 insertions(+), 6 deletions(-)
diff --git a/src/shared/att.c b/src/shared/att.c
index 0ea6d55bd..b0fdb8e9f 100644
--- a/src/shared/att.c
+++ b/src/shared/att.c
@@ -62,6 +62,7 @@ struct bt_att {
struct queue *ind_queue; /* Queued ATT protocol indications */
struct att_send_op *pending_ind;
struct queue *write_queue; /* Queue of PDUs ready to send */
+ bool in_disc; /* Cleanup queues on disconnect_cb */
bool writer_active;
struct queue *notify_list; /* List of registered callbacks */
@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
free(op);
}
-static void cancel_att_send_op(struct att_send_op *op)
+static void cancel_att_send_op(void *data)
{
+ struct att_send_op *op = data;
+
if (op->destroy)
op->destroy(op->user_data);
@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
att->io = NULL;
att->fd = -1;
- /* Notify request callbacks */
- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
-
if (att->pending_req) {
disc_att_send_op(att->pending_req);
att->pending_req = NULL;
@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
bt_att_ref(att);
+ att->in_disc = true;
+
+ /* Notify request callbacks */
+ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+
+ att->in_disc = false;
+
queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
bt_att_unregister_all(att);
@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
return op->id == id;
}
+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
+{
+ struct att_send_op *op;
+
+ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;
+
+ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;
+
+ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
+
+done:
+ if (!op)
+ return false;
+
+ /* Just cancel since disconnect_cb will be cleaning up */
+ cancel_att_send_op(op);
+
+ return true;
+}
+
bool bt_att_cancel(struct bt_att *att, unsigned int id)
{
struct att_send_op *op;
@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
return true;
}
+ if (att->in_disc)
+ return bt_att_disc_cancel(att, id);
+
op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
if (op)
goto done;
--
2.21.1

View File

@ -1,115 +0,0 @@
From d22177efb6f17ed281013cdfa4976d218718d5b6 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Mon, 31 May 2021 12:29:01 +0530
Subject: [PATCH BlueZ] shared/gatt-server: Fix not properly checking for
secure flags
commit ef7316b34cf3a568694bdb0e4e83af17804dff9e (HEAD)
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue Mar 2 11:38:33 2021 -0800
shared/gatt-server: Fix not properly checking for secure flags
When passing the mask to check_permissions all valid permissions for
the operation must be set including BT_ATT_PERM_SECURE flags.
(cherry picked from commit 00da0fb4972cf59e1c075f313da81ea549cb8738)
Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
src/shared/att-types.h | 8 ++++++++
src/shared/gatt-server.c | 25 +++++++------------------
2 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/src/shared/att-types.h b/src/shared/att-types.h
index 7108b4e94..3adc05d9e 100644
--- a/src/shared/att-types.h
+++ b/src/shared/att-types.h
@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
#define BT_ATT_PERM_WRITE_SECURE 0x0200
#define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
BT_ATT_PERM_WRITE_SECURE)
+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \
+ BT_ATT_PERM_READ_AUTHEN | \
+ BT_ATT_PERM_READ_ENCRYPT | \
+ BT_ATT_PERM_READ_SECURE)
+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \
+ BT_ATT_PERM_WRITE_AUTHEN | \
+ BT_ATT_PERM_WRITE_ENCRYPT | \
+ BT_ATT_PERM_WRITE_SECURE)
/* GATT Characteristic Properties Bitfield values */
#define BT_GATT_CHRC_PROP_BROADCAST 0x01
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index b5f7de7dc..970c35f94 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
return;
}
- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
handle);
- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
- BT_ATT_PERM_WRITE_AUTHEN |
- BT_ATT_PERM_WRITE_ENCRYPT);
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;
@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
handle);
- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
goto error;
}
- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(data->server, next_attr,
+ BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
goto error;
}
- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
- BT_ATT_PERM_READ_AUTHEN |
- BT_ATT_PERM_READ_ENCRYPT);
+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
if (ecode)
goto error;
@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
util_debug(server->debug_callback, server->debug_data,
"Prep Write Req - handle: 0x%04x", handle);
- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
- BT_ATT_PERM_WRITE_AUTHEN |
- BT_ATT_PERM_WRITE_ENCRYPT);
+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
if (ecode)
goto error;
--
2.26.2

View File

@ -0,0 +1,144 @@
From b84b23845ec9730b783f4e6efcee70c8b2f09f29 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Fri, 24 Apr 2020 16:27:58 +0530
Subject: [PATCH BlueZ 2/2] HID accepts bonded device connections only.
commit 3cccdbab2324086588df4ccf5f892fb3ce1f1787
Author: Alain Michaud <alainm@chromium.org>
Date: Tue Mar 10 02:35:18 2020 +0000
HID accepts bonded device connections only.
This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
---
profiles/input/device.c | 23 ++++++++++++++++++++++-
profiles/input/device.h | 1 +
profiles/input/input.conf | 8 ++++++++
profiles/input/manager.c | 13 ++++++++++++-
4 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/profiles/input/device.c b/profiles/input/device.c
index 84614784d..3abd2f592 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -91,6 +91,7 @@ struct input_device {
static int idle_timeout = 0;
static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
void input_set_idle_timeout(int timeout)
{
@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state)
uhid_enabled = state;
}
+void input_set_classic_bonded_only(bool state)
+{
+ classic_bonded_only = state;
+}
+
static void input_device_enter_reconnect_mode(struct input_device *idev);
static int connection_disconnect(struct input_device *idev, uint32_t flags);
@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev)
if (device_name_known(idev->device))
device_get_name(idev->device, req->name, sizeof(req->name));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device))) {
+ error("Rejected connection from !bonded device %s", dst_addr);
+ goto cleanup;
+ }
+
/* Encryption is mandatory for keyboards */
- if (req->subclass & 0x40) {
+ /* Some platforms may choose to require encryption for all devices */
+ /* Note that this only matters for pre 2.1 devices as otherwise the */
+ /* device is encrypted by default by the lower layers */
+ if (classic_bonded_only || req->subclass & 0x40) {
if (!bt_io_set(idev->intr_io, &gerr,
BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
BT_IO_OPT_INVALID)) {
@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
DBG("path=%s reconnect_mode=%s", idev->path,
reconnect_mode_to_string(idev->reconnect_mode));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device)))
+ return;
+
/* Only attempt an auto-reconnect when the device is required to
* accept reconnections from the host.
*/
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 51a9aee18..3044db673 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -29,6 +29,7 @@ struct input_conn;
void input_set_idle_timeout(int timeout);
void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
int input_device_register(struct btd_service *service);
void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 3e1d65aae..166aff4a4 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -11,3 +11,11 @@
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 1d31b0652..5cd27b839 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
config = load_config_file(CONFIGDIR "/input.conf");
if (config) {
int idle_timeout;
- gboolean uhid_enabled;
+ gboolean uhid_enabled, classic_bonded_only;
idle_timeout = g_key_file_get_integer(config, "General",
"IdleTimeout", &err);
@@ -114,6 +114,17 @@ static int input_init(void)
input_enable_userspace_hid(uhid_enabled);
} else
g_clear_error(&err);
+
+ classic_bonded_only = g_key_file_get_boolean(config, "General",
+ "ClassicBondedOnly", &err);
+
+ if (!err) {
+ DBG("input.conf: ClassicBondedOnly=%s",
+ classic_bonded_only ? "true" : "false");
+ input_set_classic_bonded_only(classic_bonded_only);
+ } else
+ g_clear_error(&err);
+
}
btd_profile_register(&input_profile);
--
2.21.1

View File

@ -1,7 +1,7 @@
Name: bluez
Summary: Bluetooth utilities
Version: 5.56
Release: 2%{?dist}.alma
Version: 5.52
Release: 4%{?dist}.alma
License: GPLv2+
URL: http://www.bluez.org/
@ -36,15 +36,9 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
#Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch
#Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch
#Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
#Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
#Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=1961511
#Patch30: 0001-input-hog-Attempt-to-set-security-level-if-not-bonde.patch
# fixing https://bugzilla.redhat.com/show_bug.cgi?id=1965057
Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
BuildRequires: git-core
BuildRequires: dbus-devel >= 1.6
@ -75,6 +69,7 @@ Utilities for use in Bluetooth applications:
- l2ping
- rfcomm
- sdptool
- bccmd
- bluetoothctl
- btmon
- hcidump
@ -146,7 +141,7 @@ Object Exchange daemon for sharing files, contacts etc over bluetooth
libtoolize -f
autoreconf -f -i
%configure --enable-tools --enable-library --enable-deprecated \
--enable-sixaxis --enable-cups --enable-nfc --enable-hid2hci \
--enable-sixaxis --enable-cups --enable-nfc \
--with-systemdsystemunitdir=%{_unitdir} \
--with-systemduserunitdir=%{_userunitdir}
@ -220,6 +215,7 @@ make check
%{_bindir}/l2ping
%{_bindir}/rfcomm
%{_bindir}/sdptool
%{_bindir}/bccmd
%{_bindir}/bluetoothctl
%{_bindir}/bluemoon
%{_bindir}/btmon
@ -237,6 +233,7 @@ make check
%{_mandir}/man1/hcitool.1.gz
%{_mandir}/man1/rfcomm.1.gz
%{_mandir}/man1/sdptool.1.gz
%{_mandir}/man1/bccmd.1.*
%{_mandir}/man1/hciattach.1.*
%{_mandir}/man1/hciconfig.1.*
%{_mandir}/man1/hcidump.1.*
@ -278,23 +275,9 @@ make check
%{_userunitdir}/obex.service
%changelog
* Fri Oct 08 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 5.56-2.alma
* Mon Apr 19 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 5.52-4.alma
- Debrand for AlmaLinux
* Mon Jun 7 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-2
+ bluez-5.56-2
- Fixing (#1968392)
- Removing bccmd check from tests
* Wed Jun 2 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-1
+ bluez-5.56-1
- Fixing (#1965057)
- Removing bccmd, enabling hid2hci as upstream removed the support in bluez-5.56
* Wed May 26 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.52-5
+ bluez-5.52-5
- Fixing (#1961511)
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-4
+ bluez-5.52-4
- Fixing (#1885378)
@ -303,7 +286,7 @@ make check
+ bluez-5.52-3
- Revering the 5.52-2 patch due some mismatch with upsream patch.
* Tue Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
* Mon Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
+ bluez-5.52-2
- Fixing (#1885378)