rpms/bluez
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c9
rpms:a8
rpms:c9-beta
rpms:a8-beta
rpms:c8-beta
rpms:imports/c10s/bluez-5.77-2.el10
rpms:imports/c10s/bluez-5.72-5.el10
rpms:imports/c9/bluez-5.64-2.el9
rpms:changed/a8/bluez-5.63-1.el8.alma
rpms:imports/c8/bluez-5.63-1.el8
rpms:imports/c9-beta/bluez-5.64-2.el9
rpms:changed/a8-beta/bluez-5.63-1.el8.alma
rpms:imports/c8-beta/bluez-5.63-1.el8
rpms:imports/c8s/bluez-5.63-1.el8
rpms:imports/c9/bluez-5.56-8.el9
rpms:changed/a8/bluez-5.56-3.el8.alma
rpms:imports/c8/bluez-5.56-3.el8
rpms:changed/a8-beta/bluez-5.56-3.el8.alma
rpms:imports/c8-beta/bluez-5.56-3.el8
rpms:imports/c9-beta/bluez-5.56-8.el9
rpms:imports/c8s/bluez-5.56-3.el8
rpms:imports/c9-beta/bluez-5.56-6.el9
rpms:changed/a8/bluez-5.56-2.el8.alma
rpms:imports/c8/bluez-5.56-2.el8
rpms:imports/c8/bluez-5.56-1.el8
rpms:imports/c8/bluez-5.52-5.el8
rpms:imports/c8/bluez-5.52-5.el8_4
rpms:imports/c8-beta/bluez-5.56-2.el8
rpms:imports/c8-beta/bluez-5.52-4.el8
rpms:imports/c8-beta/bluez-5.52-1.el8
rpms:imports/c8-beta/bluez-5.50-1.el8
rpms:changed/a8/bluez-5.52-4.el8.alma
rpms:imports/c8s/bluez-5.56-2.el8
rpms:imports/c8s/bluez-5.56-1.el8
rpms:imports/c8s/bluez-5.52-5.el8
rpms:imports/c8s/bluez-5.52-4.el8
rpms:imports/c8s/bluez-5.52-1.el8
rpms:imports/c8/bluez-5.52-4.el8
rpms:imports/c8/bluez-5.52-1.el8
rpms:imports/c8/bluez-5.50-4.el8
rpms:imports/c8/bluez-5.50-3.el8
rpms:imports/c8/bluez-5.50-1.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c9
rpms:a8
rpms:c8
rpms:c9-beta
rpms:a8-beta
rpms:c8-beta
rpms:imports/c10s/bluez-5.77-2.el10
rpms:imports/c10s/bluez-5.72-5.el10
rpms:imports/c9/bluez-5.64-2.el9
rpms:changed/a8/bluez-5.63-1.el8.alma
rpms:imports/c8/bluez-5.63-1.el8
rpms:imports/c9-beta/bluez-5.64-2.el9
rpms:changed/a8-beta/bluez-5.63-1.el8.alma
rpms:imports/c8-beta/bluez-5.63-1.el8
rpms:imports/c8s/bluez-5.63-1.el8
rpms:imports/c9/bluez-5.56-8.el9
rpms:changed/a8/bluez-5.56-3.el8.alma
rpms:imports/c8/bluez-5.56-3.el8
rpms:changed/a8-beta/bluez-5.56-3.el8.alma
rpms:imports/c8-beta/bluez-5.56-3.el8
rpms:imports/c9-beta/bluez-5.56-8.el9
rpms:imports/c8s/bluez-5.56-3.el8
rpms:imports/c9-beta/bluez-5.56-6.el9
rpms:changed/a8/bluez-5.56-2.el8.alma
rpms:imports/c8/bluez-5.56-2.el8
rpms:imports/c8/bluez-5.56-1.el8
rpms:imports/c8/bluez-5.52-5.el8
rpms:imports/c8/bluez-5.52-5.el8_4
rpms:imports/c8-beta/bluez-5.56-2.el8
rpms:imports/c8-beta/bluez-5.52-4.el8
rpms:imports/c8-beta/bluez-5.52-1.el8
rpms:imports/c8-beta/bluez-5.50-1.el8
rpms:changed/a8/bluez-5.52-4.el8.alma
rpms:imports/c8s/bluez-5.56-2.el8
rpms:imports/c8s/bluez-5.56-1.el8
rpms:imports/c8s/bluez-5.52-5.el8
rpms:imports/c8s/bluez-5.52-4.el8
rpms:imports/c8s/bluez-5.52-1.el8
rpms:imports/c8/bluez-5.52-4.el8
rpms:imports/c8/bluez-5.52-1.el8
rpms:imports/c8/bluez-5.50-4.el8
rpms:imports/c8/bluez-5.50-3.el8
rpms:imports/c8/bluez-5.50-1.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

22 changed files with 5393 additions and 523 deletions
Show Stats Expand all files Collapse all files

1
.bluez.metadata
View File

@ -1 +0,0 @@
c5137186e7cc60652eed44cff0067ef749e49eff SOURCES/bluez-5.63.tar.xz

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/bluez-5.63.tar.xz
/bluez-4.*.tar.gz
/bluez-5.*.tar.xz
/sources

81
0001-main-Simplify-parse_config_string.patch Normal file
View File

@ -0,0 +1,81 @@
From 3cf5bb59c3f82e1fcc8703e6bab956284f2c4566 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 10 May 2024 13:47:29 +0200
Subject: [PATCH] main: Simplify parse_config_string()
The memory management done by parse_config_string() was quite
complicated, as it expected to be able to free the value in the return
variable if it was already allocated.
That particular behaviour was only used for a single variable which was
set to its default value during startup and might be overwritten after
this function call.
Use an intermediate variable to check whether we need to free
btd_opts.name and simplify parse_config_string().
Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
bluez-5.75/src/main.c:425:2: alloc_fn: Storage is returned from allocation function "g_key_file_get_string".
bluez-5.75/src/main.c:425:2: var_assign: Assigning: "tmp" = storage returned from "g_key_file_get_string(config, group, key, &err)".
bluez-5.75/src/main.c:433:2: noescape: Assuming resource "tmp" is not freed or pointed-to as ellipsis argument to "btd_debug".
bluez-5.75/src/main.c:440:2: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to.
438| }
439|
440|-> return true;
441| }
442|
---
src/main.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/main.c b/src/main.c
index 62453bffaf57..178611e11ddd 100644
--- a/src/main.c
+++ b/src/main.c
@@ -420,9 +420,13 @@ static bool parse_config_string(GKeyFile *config, const char *group,
const char *key, char **val)
{
GError *err = NULL;
- char *tmp;
- tmp = g_key_file_get_string(config, group, key, &err);
+ if (val != NULL) {
+ warn("%s passed a NULL value", __func__);
+ return false;
+ }
+
+ *val = g_key_file_get_string(config, group, key, &err);
if (err) {
if (err->code != G_KEY_FILE_ERROR_KEY_NOT_FOUND)
DBG("%s", err->message);
@@ -430,12 +434,7 @@ static bool parse_config_string(GKeyFile *config, const char *group,
return false;
}
- DBG("%s.%s = %s", group, key, tmp);
-
- if (val) {
- g_free(*val);
- *val = tmp;
- }
+ DBG("%s.%s = %s", group, key, *val);
return true;
}
@@ -1004,7 +1003,12 @@ static void parse_secure_conns(GKeyFile *config)
static void parse_general(GKeyFile *config)
{
- parse_config_string(config, "General", "Name", &btd_opts.name);
+ char *str = NULL;
+
+ if (parse_config_string(config, "General", "Name", &str)) {
+ g_free(btd_opts.name);
+ btd_opts.name = str;
+ }
parse_config_hex(config, "General", "Class", &btd_opts.class);
parse_config_u32(config, "General", "DiscoverableTimeout",
&btd_opts.discovto,
--
2.45.2

139
0001-shared-shell-Free-memory-allocated-by-wordexp.patch Normal file
View File

@ -0,0 +1,139 @@
From 9c7ec707e88170adf3e117fe92ed74e311b2e859 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 2 Jul 2024 15:27:12 +0200
Subject: [PATCH] shared/shell: Free memory allocated by wordexp()
Error: RESOURCE_LEAK (CWE-772): [#def38] [important]
bluez-5.76/src/shared/shell.c:519:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:523:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
521| "Unable to parse mandatory command arguments: %s", man );
522| free(man);
523|-> return -EINVAL;
524| }
525|
Error: RESOURCE_LEAK (CWE-772): [#def40] [important]
bluez-5.76/src/shared/shell.c:1113:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:1114:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
1112|
1113| if (wordexp(rl_line_buffer, &w, WRDE_NOCMD))
1114|-> return NULL;
1115|
1116| matches = menu_completion(default_menu, text, w.we_wordc,
Error: RESOURCE_LEAK (CWE-772): [#def42] [important]
bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:1415:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
1413| switch (err) {
1414| case WRDE_BADCHAR:
1415|-> return -EBADMSG;
1416| case WRDE_BADVAL:
1417| case WRDE_SYNTAX:
Error: RESOURCE_LEAK (CWE-772): [#def43] [important]
bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:1418:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
1416| case WRDE_BADVAL:
1417| case WRDE_SYNTAX:
1418|-> return -EINVAL;
1419| case WRDE_NOSPACE:
1420| return -ENOMEM;
Error: RESOURCE_LEAK (CWE-772): [#def44] [important]
bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:1420:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
1418| return -EINVAL;
1419| case WRDE_NOSPACE:
1420|-> return -ENOMEM;
1421| case WRDE_CMDSUB:
1422| if (wordexp(input, &w, 0))
Error: RESOURCE_LEAK (CWE-772): [#def45] [important]
bluez-5.76/src/shared/shell.c:1422:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv".
bluez-5.76/src/shared/shell.c:1423:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
1421| case WRDE_CMDSUB:
1422| if (wordexp(input, &w, 0))
1423|-> return -ENOEXEC;
1424| break;
1425| };
---
src/shared/shell.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/shared/shell.c b/src/shared/shell.c
index 88ecaa076adc..26c6a419af22 100644
--- a/src/shared/shell.c
+++ b/src/shared/shell.c
@@ -452,13 +452,23 @@ static void shell_print_menu_zsh_complete(void)
}
}
+static int _wordexp(const char *restrict s, wordexp_t *restrict p, int flags)
+{
+ int ret;
+
+ ret = wordexp(s, p, flags);
+ if (ret != 0)
+ wordfree(p);
+ return ret;
+}
+
static int parse_args(char *arg, wordexp_t *w, char *del, int flags)
{
char *str;
str = strdelimit(arg, del, '"');
- if (wordexp(str, w, flags)) {
+ if (_wordexp(str, w, flags) != 0) {
free(str);
return -EINVAL;
}
@@ -537,7 +547,7 @@ static int cmd_exec(const struct bt_shell_menu_entry *entry,
goto fail;
}
- flags |= WRDE_APPEND;
+ flags |= WRDE_APPEND | WRDE_REUSE;
opt = strdup(entry->arg + len + 1);
optional:
@@ -1043,7 +1053,7 @@ static char **args_completion(const struct bt_shell_menu_entry *entry, int argc,
args.we_offs = 0;
wordfree(&args);
- if (wordexp(str, &args, WRDE_NOCMD))
+ if (_wordexp(str, &args, WRDE_NOCMD))
goto done;
rl_completion_display_matches_hook = NULL;
@@ -1115,7 +1125,7 @@ static char **shell_completion(const char *text, int start, int end)
if (start > 0) {
wordexp_t w;
- if (wordexp(rl_line_buffer, &w, WRDE_NOCMD))
+ if (_wordexp(rl_line_buffer, &w, WRDE_NOCMD))
return NULL;
matches = menu_completion(default_menu, text, w.we_wordc,
@@ -1417,7 +1427,7 @@ int bt_shell_exec(const char *input)
if (data.monitor)
bt_log_printf(0xffff, data.name, LOG_INFO, "%s", input);
- err = wordexp(input, &w, WRDE_NOCMD);
+ err = _wordexp(input, &w, WRDE_NOCMD);
switch (err) {
case WRDE_BADCHAR:
return -EBADMSG;
@@ -1427,7 +1437,7 @@ int bt_shell_exec(const char *input)
case WRDE_NOSPACE:
return -ENOMEM;
case WRDE_CMDSUB:
- if (wordexp(input, &w, 0))
+ if (_wordexp(input, &w, 0))
return -ENOEXEC;
break;
};
--
2.45.2

3923
5.77-devel.patch Normal file
View File

File diff suppressed because it is too large Load Diff

35
SOURCES/0001-build-Always-define-confdir-and-statedir.patch
View File

@ -1,35 +0,0 @@
From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 20 Sep 2017 12:49:10 +0200
Subject: [PATCH 1/4] build: Always define confdir and statedir
As we will need those paths to lock down on them.
---
Makefile.am | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 9d25a815b..ac88c12e0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,14 +28,14 @@
$(LIBEDATASERVER_CFLAGS) $(ell_cflags)
AM_LDFLAGS = $(MISC_LDFLAGS)
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
if DATAFILES
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
dbus_DATA = src/bluetooth.conf
-confdir = $(sysconfdir)/bluetooth
conf_DATA =
-
-statedir = $(localstatedir)/lib/bluetooth
state_DATA =
endif
--
2.21.0

36
SOURCES/0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
View File

@ -1,36 +0,0 @@
From 4c3eedcb96bd4795dd5c25c688005fc12f364aeb Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Wed, 20 Apr 2022 12:19:05 +0530
Subject: [PATCH BlueZ] gdbus: Emit InterfacesAdded of parents objects first
This makes InterfacesAdded respect the object hierarchy in case its
parent has pending interfaces to be added.
Fixes: #272
Fixes: #284
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1534857
Fixes: https://bugs.archlinux.org/task/57464
---
gdbus/object.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gdbus/object.c b/gdbus/object.c
index 50a8b4ff1..f7c8c2be5 100644
--- a/gdbus/object.c
+++ b/gdbus/object.c
@@ -551,6 +551,12 @@ static void emit_interfaces_added(struct generic_data *data)
if (root == NULL || data == root)
return;
+ /* Emit InterfacesAdded on the parent first so it appears first on the
+ * bus as child objects may point to it.
+ */
+ if (data->parent && data->parent->added)
+ emit_interfaces_added(data->parent);
+
signal = dbus_message_new_signal(root->path,
DBUS_INTERFACE_OBJECT_MANAGER,
"InterfacesAdded");
--
2.26.2

38
SOURCES/0001-hostname-Fix-BlueZ-5.XX-adapter-name-on-startup.patch
View File

@ -1,38 +0,0 @@
From cba55944f76ad0f01bb7c8976fd6699f058c68cd Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 20 Sep 2017 14:42:14 +0200
Subject: [PATCH] hostname: Fix "BlueZ 5.XX" adapter name on startup
The hostname plugin listens to property changes from systemd-hostnamed
but doesn't fetch initial values. This means that unless the
PrettyHostname or StaticHostname changes, the default adapter will be
called "BlueZ 5.XX" matching the version number.
This is the case since the hostname plugin replaced the adaptername
plugin in 2012.
Fetch the initial values for PrettyHostname, StaticHostname and
Chassis when the plugin is initiated, so as to make the values
available for adapter setup.
---
plugins/hostname.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/plugins/hostname.c b/plugins/hostname.c
index f876d0afb..db9187378 100644
--- a/plugins/hostname.c
+++ b/plugins/hostname.c
@@ -307,6 +307,10 @@ static int hostname_init(void)
hostname_proxy = NULL;
g_dbus_client_unref(hostname_client);
hostname_client = NULL;
+ } else {
+ g_dbus_proxy_refresh_property(hostname_proxy, "PrettyHostname");
+ g_dbus_proxy_refresh_property(hostname_proxy, "StaticHostname");
+ g_dbus_proxy_refresh_property(hostname_proxy, "Chassis");
}
return err;
--
2.14.1

38
SOURCES/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
View File

@ -1,38 +0,0 @@
From 90b72b787a6ae6b9b0bf8ece238e108e8607a433 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Sat, 9 Nov 2013 18:13:43 +0100
Subject: [PATCH 1/2] obex: Use GLib helper function to manipulate paths
Instead of trying to do it by hand. This also makes sure that
relative paths aren't used by the agent.
---
obexd/src/manager.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/obexd/src/manager.c b/obexd/src/manager.c
index f84384ae4..285c07c37 100644
--- a/obexd/src/manager.c
+++ b/obexd/src/manager.c
@@ -650,14 +650,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
DBUS_TYPE_STRING, &name,
DBUS_TYPE_INVALID)) {
/* Splits folder and name */
- const char *slash = strrchr(name, '/');
+ gboolean is_relative = !g_path_is_absolute(name);
DBG("Agent replied with %s", name);
- if (!slash) {
- agent->new_name = g_strdup(name);
+ if (is_relative) {
+ agent->new_name = g_path_get_basename(name);
agent->new_folder = NULL;
} else {
- agent->new_name = g_strdup(slash + 1);
- agent->new_folder = g_strndup(name, slash - name);
+ agent->new_name = g_path_get_basename(name);
+ agent->new_folder = g_path_get_dirname(name);
}
}
--
2.14.1

44
SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
View File

@ -1,44 +0,0 @@
From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Mon, 8 Jun 2020 19:54:24 +0530
Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Wed, 13 Sep 2017 15:23:09 +0200
systemd: Add PrivateTmp and NoNewPrivileges options
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f9faaa452..7c2f60bb4 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
#Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
LimitNPROC=1
+
+# Filesystem lockdown
ProtectHome=true
ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
[Install]
WantedBy=bluetooth.target
--
2.21.1

44
SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
View File

@ -1,44 +0,0 @@
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 13 Sep 2017 15:37:11 +0200
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 3 +++
src/bluetooth.service.in | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index ac88c12e0..0a6d09847 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -617,6 +617,9 @@
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+ -e 's,@libexecdir\@,$(libexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
if RUN_RST2MAN
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.21.0

40
SOURCES/0004-systemd-More-lockdown.patch
View File

@ -1,40 +0,0 @@
From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Mon, 8 Jun 2020 19:56:42 +0530
Subject: [PATCH BlueZ 4/4] systemd: More lockdown
From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 13 Sep 2017 15:38:26 +0200
systemd: More lockdown
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 4daedef2a..f18801866 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
ReadWritePaths=@statedir@
ReadOnlyPaths=@confdir@
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
# Privilege escalation
NoNewPrivileges=true
+# Real-time
+RestrictRealtime=true
+
[Install]
WantedBy=bluetooth.target
Alias=dbus-org.bluez.service
--
2.21.1

33
SOURCES/69-btattach-bcm.rules
View File

@ -1,33 +0,0 @@
# Some devices have a bluetooth HCI connected to an uart, these needs to be
# setup by calling btattach. The systemd btattach-bcm.service takes care of
# this. These udev rules hardware-activate that service when necessary.
#
# For now this only suports ACPI enumerated Broadcom BT HCIs.
# This has been tested on Bay and Cherry Trail devices with both ACPI and
# PCI enumerated UARTs.
# Note we check for the platform device not for the acpi device, because
# some DSDTs list multiple bluetooth adapters, but only some (or none)
# are enabled. Only enabled adapters get a platform device created.
ACTION!="add", GOTO="btattach_bcm_rules_end"
SUBSYSTEM!="platform", GOTO="btattach_bcm_rules_end"
KERNEL=="BCM2E1A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E39:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E3A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E3D:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E3F:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E40:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E54:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E55:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E64:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E65:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E67:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E71:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E7B:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E7C:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E7E:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E95:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
KERNEL=="BCM2E96:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
LABEL="btattach_bcm_rules_end"

30
SOURCES/btattach-bcm-service.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
# Simple shell script to wait for the tty for an uart using BT HCI to show up
# and then invoke btattach with the right parameters, this is intended to be
# invoked from a hardware-activated systemd service
#
# For now this only suports ACPI enumerated Broadcom BT HCIs.
# This has been tested on Bay and Cherry Trail devices with both ACPI and
# PCI enumerated UARTs.
#
# Note the kernel bt developers are working on solving this entirely in the
# kernel, so it is not worth the trouble to write something better then this.
BT_DEV="/sys/bus/platform/devices/$1"
BT_DEV="$(readlink -f $BT_DEV)"
UART_DEV="$(dirname $BT_DEV)"
# Stupid GPD-pocket has USB BT with id 0000:0000, but still claims to have
# an uart attached bt
if [ "$1" = "BCM2E7E:00" ] && lsusb | grep -q "ID 0000:0000"; then
exit 0
fi
while [ ! -d "$UART_DEV/tty" ]; do
sleep .2
done
TTY="$(ls $UART_DEV/tty)"
exec btattach --bredr "/dev/$TTY" -P bcm

6
SOURCES/btattach-bcm@.service
View File

@ -1,6 +0,0 @@
[Unit]
Description=btattach for Broadcom devices
[Service]
Type=simple
ExecStart=/usr/libexec/bluetooth/btattach-bcm-service.sh %I

0
SOURCES/bluez.gitignore → bluez.gitignore
View File

578
SPECS/bluez.spec → bluez.spec
View File

@ -1,126 +1,114 @@
%if 0%{?fedora} || 0%{?rhel} <= 8
%bcond_without deprecated
%else
%bcond_with deprecated
%endif
Name: bluez
Version: 5.77
Release: 2%{?dist}
Summary: Bluetooth utilities
Version: 5.63
Release: 1%{?dist}
License: GPLv2+
License: GPL-2.0-or-later
URL: http://www.bluez.org/
Source0: http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
Source1: bluez.gitignore
Source0: https://www.kernel.org/pub/linux/bluetooth/%{name}-%{version}.tar.xz
# Scripts for automatically btattach-ing serial ports connected to Broadcom HCIs
# as found on some Atom based x86 hardware
Source2: 69-btattach-bcm.rules
Source3: btattach-bcm@.service
Source4: btattach-bcm-service.sh
# Upstream patches
Patch0: 5.77-devel.patch
# https://patchwork.kernel.org/project/bluetooth/patch/20240702084900.773620-2-hadess@hadess.net/
Patch1: 0001-main-Simplify-parse_config_string.patch
# https://patchwork.kernel.org/project/bluetooth/patch/20240704102617.1132337-4-hadess@hadess.net/
Patch2: 0001-shared-shell-Free-memory-allocated-by-wordexp.patch
# https://patchwork.kernel.org/project/bluetooth/list/?series=876731
Patch3: static-analysis-issues-6.patch
# Coverity downstream patches
Patch4: coverity-workarounds.patch
# https://github.com/hadess/bluez/commits/build-fixes-5.46
#Patch1: 0001-build-Enable-BIND_NOW.patch
#Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch
# https://github.com/hadess/bluez/commits/obex-5.46
Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
# https://github.com/hadess/bluez/commits/hostname-plugin-5.47
Patch4: 0001-hostname-Fix-BlueZ-5.XX-adapter-name-on-startup.patch
# https://github.com/hadess/bluez/commits/systemd-hardening
Patch20: 0001-build-Always-define-confdir-and-statedir.patch
Patch21: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
Patch22: 0003-systemd-Add-more-filesystem-lockdown.patch
Patch23: 0004-systemd-More-lockdown.patch
Patch25: 0001-gdbus-Emit-InterfacesAdded-of-parents-objects-first.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1567622
#Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
#Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch
#Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch
#Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
#Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
#Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=1961511
#Patch30: 0001-input-hog-Attempt-to-set-security-level-if-not-bonde.patch
# fixing https://bugzilla.redhat.com/show_bug.cgi?id=1965057
#Patch31: 0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
#Patch32: 0001-sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
BuildRequires: git-core
BuildRequires: dbus-devel >= 1.6
BuildRequires: glib2-devel
BuildRequires: libell-devel >= 0.37
BuildRequires: libical-devel
BuildRequires: make
BuildRequires: readline-devel
# For bluetooth mesh
BuildRequires: json-c-devel
# For cable pairing
BuildRequires: systemd-devel
# For udev rules
BuildRequires: systemd
# For printing
BuildRequires: cups-devel
# For autoreconf
BuildRequires: libtool automake autoconf
BuildRequires: libtool automake autoconf git
# For man pages
BuildRequires: python3-docutils
BuildRequires: python3-pygments
Requires: dbus >= 1.6
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Utilities for use in Bluetooth applications:
- hcitool
- hciattach
- hciconfig
- bluetoothd
- l2ping
- rfcomm
- sdptool
- avinfo
- bluemoon
- bluetoothctl
- bluetoothd
- btattach
- btmon
- hcidump
- l2test
- rctest
- gatttool
- start scripts (Red Hat)
- pcmcia configuration files
- hex2hcd
- mpris-proxy
The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.
%package libs
Summary: Libraries for use in Bluetooth applications
%package libs-devel
Summary: Development libraries for Bluetooth applications
Requires: bluez-libs%{?_isa} = %{version}-%{release}
%package cups
Summary: CUPS printer backend for Bluetooth printers
Requires: bluez%{?_isa} = %{version}-%{release}
Requires: cups
%package hid2hci
Summary: Put HID proxying bluetooth HCI's into HCI mode
Requires: bluez%{?_isa} = %{version}-%{release}
%package obexd
Summary: Object Exchange daemon for sharing content
Requires: bluez%{?_isa} = %{version}-%{release}
Requires: bluez-libs%{?_isa} = %{version}-%{release}
%description cups
This package contains the CUPS backend
%if %{with deprecated}
%package deprecated
Summary: Deprecated Bluetooth applications
Requires: bluez%{?_isa} = %{version}-%{release}
Obsoletes: bluez < 5.55-2
%description deprecated
Bluetooth applications that have bee deprecated by upstream. They have been
replaced by funcationality in the core bluetoothctl and will eventually
be dropped by upstream. Utilities include:
- ciptool
- gatttool
- hciattach
- hciconfig
- hcidump
- hcitool
- meshctl
- rfcomm
- sdptool
%endif
%package libs
Summary: Libraries for use in Bluetooth applications
%description libs
Libraries for use in Bluetooth applications.
%package libs-devel
Summary: Development libraries for Bluetooth applications
Requires: bluez-libs%{?_isa} = %{version}-%{release}
%description libs-devel
bluez-libs-devel contains development libraries and headers for
use in Bluetooth applications.
%package hid2hci
Summary: Put HID proxying bluetooth HCI's into HCI mode
Requires: bluez%{?_isa} = %{version}-%{release}
%description hid2hci
Most allinone PC's and bluetooth keyboard / mouse sets which include a
bluetooth dongle, ship with a so called HID proxying bluetooth HCI.
@ -140,31 +128,60 @@ them again. Since you cannot use your bluetooth keyboard and mouse until
they are paired, this will require the use of a regular (wired) USB keyboard
and mouse.
%package mesh
Summary: Bluetooth mesh
Requires: bluez%{?_isa} = %{version}-%{release}
Requires: bluez-libs%{?_isa} = %{version}-%{release}
%description mesh
Services for bluetooth mesh
%package obexd
Summary: Object Exchange daemon for sharing content
Requires: bluez%{?_isa} = %{version}-%{release}
Requires: bluez-libs%{?_isa} = %{version}-%{release}
%description obexd
Object Exchange daemon for sharing files, contacts etc over bluetooth
%prep
%autosetup -S git
%autosetup -p1 -S git
%build
libtoolize -f
autoreconf -f -i
%configure --enable-tools --enable-library --enable-deprecated \
--enable-sixaxis --enable-cups --enable-nfc --enable-hid2hci \
autoreconf -vif
%configure --enable-tools --enable-library \
--enable-external-ell --disable-optimization \
%if %{with deprecated}
--enable-deprecated \
%endif
--enable-sixaxis --enable-cups --enable-nfc --enable-mesh \
--enable-hid2hci --enable-testing --enable-experimental \
--enable-bap --enable-bass --enable-mcp --enable-micp \
--enable-csip --enable-vcp \
--with-systemdsystemunitdir=%{_unitdir} \
--with-systemduserunitdir=%{_userunitdir}
make %{?_smp_mflags} V=1
%{make_build}
%install
make install DESTDIR=$RPM_BUILD_ROOT
%{make_install}
%if %{with deprecated}
# "make install" fails to install gatttool, necessary for Bluetooth Low Energy
# Red Hat Bugzilla bug #1141909
# Debian bug #720486
# Red Hat Bugzilla bug #1141909, Debian bug #720486
install -m0755 attrib/gatttool $RPM_BUILD_ROOT%{_bindir}
%endif
# Remove autocrap and libtool droppings
# "make install" fails to install avinfo
# Red Hat Bugzilla bug #1699680
install -m0755 tools/avinfo $RPM_BUILD_ROOT%{_bindir}
# btmgmt is not installed by "make install", but it is useful for debugging
# some issues and to set the MAC address on HCIs which don't have their
# MAC address configured
install -m0755 tools/btmgmt $RPM_BUILD_ROOT%{_bindir}
# Remove libtool archive
find $RPM_BUILD_ROOT -name '*.la' -delete
# Remove the cups backend from libdir, and install it in /usr/lib whatever the install
@ -177,20 +194,21 @@ rm -f ${RPM_BUILD_ROOT}/%{_sysconfdir}/udev/*.rules ${RPM_BUILD_ROOT}/usr/lib/ud
install -D -p -m0644 tools/hid2hci.rules ${RPM_BUILD_ROOT}/%{_udevrulesdir}/97-hid2hci.rules
install -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/bluetooth
install -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/bluetooth/mesh
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/bluetooth/
#copy bluetooth config file and setup auto enable
#copy bluetooth config files
install -D -p -m0644 src/main.conf ${RPM_BUILD_ROOT}/etc/bluetooth/main.conf
sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=true/' ${RPM_BUILD_ROOT}/%{_sysconfdir}/bluetooth/main.conf
install -D -p -m0644 mesh/mesh-main.conf ${RPM_BUILD_ROOT}/etc/bluetooth/mesh-main.conf
install -D -p -m0644 profiles/input/input.conf ${RPM_BUILD_ROOT}/etc/bluetooth/input.conf
install -D -p -m0644 profiles/network/network.conf ${RPM_BUILD_ROOT}/etc/bluetooth/network.conf
#serial port connected Broadcom HCIs scripts
install -D -p -m0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_udevrulesdir}/
install -D -p -m0644 %{SOURCE3} ${RPM_BUILD_ROOT}/%{_unitdir}/
install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
# Install the HCI emulator, useful for testing
install emulator/btvirt ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
%check
make check
#check
#make check
%ldconfig_scriptlets libs
@ -206,6 +224,12 @@ make check
%post hid2hci
/sbin/udevadm trigger --subsystem-match=usb
%post mesh
%systemd_user_post bluetooth-mesh.service
%preun mesh
%systemd_user_preun bluetooth-mesh.service
%post obexd
%systemd_user_post obex.service
@ -213,50 +237,58 @@ make check
%systemd_user_preun obex.service
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc AUTHORS ChangeLog
%config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf
%config %{_sysconfdir}/bluetooth/main.conf
%{_bindir}/btattach
%{_bindir}/ciptool
%{_bindir}/hcitool
%{_bindir}/l2ping
%{_bindir}/rfcomm
%{_bindir}/sdptool
%{_bindir}/bluetoothctl
# bluetooth.service expects configuraton directory to be read only
# https://github.com/bluez/bluez/issues/329#issuecomment-1102459104
%attr(0555, root, root) %dir %{_sysconfdir}/bluetooth
%config(noreplace) %{_sysconfdir}/bluetooth/main.conf
%config(noreplace) %{_sysconfdir}/bluetooth/input.conf
%config(noreplace) %{_sysconfdir}/bluetooth/network.conf
%{_bindir}/avinfo
%{_bindir}/bluemoon
%{_bindir}/bluetoothctl
%{_bindir}/btattach
%{_bindir}/btmgmt
%{_bindir}/btmon
%{_bindir}/hex2hcd
%{_bindir}/mpris-proxy
%{_mandir}/man1/bluetoothctl.1.*
%{_mandir}/man1/bluetoothctl-*.1.*
%{_mandir}/man1/btmgmt.1.*
%{_mandir}/man1/btattach.1.*
%{_mandir}/man1/btmon.1.*
%{_mandir}/man8/bluetoothd.8.*
%dir %{_libexecdir}/bluetooth
%{_libexecdir}/bluetooth/bluetoothd
%{_libdir}/bluetooth/
# bluetooth.service expects StateDirectoryMode to be 700.
%attr(0700, root, root) %dir %{_localstatedir}/lib/bluetooth
%dir %{_localstatedir}/lib/bluetooth/mesh
%{_datadir}/dbus-1/system.d/bluetooth.conf
%{_datadir}/dbus-1/system-services/org.bluez.service
%{_unitdir}/bluetooth.service
%{_datadir}/zsh/site-functions/_bluetoothctl
%if %{with deprecated}
%files deprecated
%{_bindir}/ciptool
%{_bindir}/gatttool
%{_bindir}/hciattach
%{_bindir}/hciconfig
%{_bindir}/hcidump
%{_bindir}/l2test
%{_bindir}/hex2hcd
%{_bindir}/mpris-proxy
%{_bindir}/gatttool
%{_bindir}/rctest
%{_datadir}/zsh/site-functions/_bluetoothctl
%{_mandir}/man1/btattach.1.gz
%{_mandir}/man1/btmon.1.*
%{_mandir}/man1/ciptool.1.gz
%{_mandir}/man1/hcitool.1.gz
%{_mandir}/man1/rfcomm.1.gz
%{_mandir}/man1/sdptool.1.gz
%{_bindir}/hcitool
%{_bindir}/meshctl
%{_bindir}/rfcomm
%{_bindir}/sdptool
%{_mandir}/man1/ciptool.1.*
%{_mandir}/man1/hciattach.1.*
%{_mandir}/man1/hciconfig.1.*
%{_mandir}/man1/hcidump.1.*
%{_mandir}/man1/l2ping.1.*
%{_mandir}/man1/rctest.1.*
%{_mandir}/man8/*
%{_libexecdir}/bluetooth/bluetoothd
%{_libexecdir}/bluetooth/btattach-bcm-service.sh
%{_libdir}/bluetooth/
%{_localstatedir}/lib/bluetooth
%{_datadir}/dbus-1/system-services/org.bluez.service
%{_unitdir}/bluetooth.service
%{_unitdir}/btattach-bcm@.service
%{_udevrulesdir}/69-btattach-bcm.rules
%{_mandir}/man1/hcitool.1.*
%{_mandir}/man1/rfcomm.1.*
%{_mandir}/man1/sdptool.1.*
%endif
%files libs
%{!?_licensedir:%global license %%doc}
@ -265,9 +297,21 @@ make check
%files libs-devel
%doc doc/*txt
%{_bindir}/isotest
%{_bindir}/l2test
%{_bindir}/l2ping
%{_bindir}/rctest
%{_mandir}/man1/isotest.1.*
%{_mandir}/man1/l2ping.1.*
%{_mandir}/man1/rctest.1.*
%{_mandir}/man5/org.bluez.*.5.*
%{_mandir}/man7/l2cap.7.*
%{_mandir}/man7/rfcomm.7.*
%{_libdir}/libbluetooth.so
%{_includedir}/bluetooth
%{_libdir}/pkgconfig/bluez.pc
%dir %{_libexecdir}/bluetooth
%{_libexecdir}/bluetooth/btvirt
%files cups
%_cups_serverbin/backend/bluetooth
@ -277,74 +321,254 @@ make check
%{_mandir}/man1/hid2hci.1*
%{_udevrulesdir}/97-hid2hci.rules
%files mesh
%config(noreplace) %{_sysconfdir}/bluetooth/mesh-main.conf
%{_bindir}/mesh-cfgclient
%{_bindir}/mesh-cfgtest
%{_datadir}/dbus-1/system.d/bluetooth-mesh.conf
%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
%{_libexecdir}/bluetooth/bluetooth-meshd
%{_unitdir}/bluetooth-mesh.service
%{_localstatedir}/lib/bluetooth/mesh
%{_mandir}/man8/bluetooth-meshd.8*
%files obexd
%{_libexecdir}/bluetooth/obexd
%{_datadir}/dbus-1/services/org.bluez.obex.service
/usr/lib/systemd/user/dbus-org.bluez.obex.service
%{_userunitdir}/obex.service
%changelog
* Tue May 17 2022 Gopal Tiwari <gtiwari@redhat.com> - 5.63-1
+ bluez-5.63-1
- Fixing (#)
* Mon Aug 05 2024 Bastien Nocera <bnocera@redhat.com> - 5.77-2
- Use git to apply patches
- Fix coverity issues
- Related: Jira:RHEL-34536
* Mon Dec 13 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-3
+ bluez-5.56-3
- Fixing (#2027434)
- Fixing CVE-2021-41229
* Mon Aug 05 2024 Bastien Nocera <bnocera@redhat.com> - 5.77-1
- Update to 5.77
* Mon Jun 7 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-2
+ bluez-5.56-2
- Fixing (#1968392)
- Removing bccmd check from tests
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 5.72-5
- Bump release for June 2024 mass rebuild
* Wed Jun 2 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.56-1
+ bluez-5.56-1
- Fixing (#1965057)
- Removing bccmd, enabling hid2hci as upstream removed the support in bluez-5.56
* Thu May 23 2024 David Marlin <dmarlin@redhat.com> - 5.72-4
- Change the License to meet SPDX allowed licenses.
* Wed May 26 2021 Gopal Tiwari <gtiwari@redhat.com> - 5.52-5
+ bluez-5.52-5
- Fixing (#1961511)
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.72-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-4
+ bluez-5.52-4
- Fixing (#1885378)
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.72-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-3
+ bluez-5.52-3
- Revering the 5.52-2 patch due some mismatch with upsream patch.
* Sun Jan 14 2024 Peter Robinson <pbrobinson@fedoraproject.org> - 5.72-1
- Update to 5.72
* Tue Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
+ bluez-5.52-2
- Fixing (#1885378)
* Sun Jan 07 2024 Peter Robinson <pbrobinson@fedoraproject.org> - 5.71-3
- Upstream fix for crash on A2DP audio suspend
* Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
+ bluez-5.52-1
- Fixing (#1830397)
* Fri Dec 29 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.71-2
- Fix link key address type for old kernels
* Fri Apr 24 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-4
+ bluez-5.50-4
- Fixing CVE-2020-0556
* Sat Dec 16 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.71-1
- Update to 5.71
* Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-3
+ bluez-5.50-3
- Bump the version
* Thu Dec 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.70-5
- Install default input.conf/network.conf
* Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-2
* Thu Dec 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.70-4
- Add mitigation for CVE-2023-45866
* Sun Nov 19 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.70-3
- Fix some input devices disconnecting right after connecting
- Explicitly enable Bluetooth BAP/BASS/CSIP/MCP/MICP/VCP profiles
* Mon Oct 02 2023 Sandro Bonazzola <sbonazzo@redhat.com> - 5.70-2
- Fix access modes for /etc/bluetooth and /var/lib/bluetooth as expected
by bluetooth.service.
- Resolves: fedora#2144504
* Fri Sep 29 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.70-1
- Update to 5.70
- Enable some Bluetooth LE features
* Fri Aug 25 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.69-1
- Update to 5.69
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.68-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sat Jul 01 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.68-1
- Update to 5.68
- Don't replace modified configs on upgrade (rhbz#2173029)
* Sun Jun 25 2023 Bastien Nocera <bnocera@redhat.com> - 5.66-6
- Add patch that fixes some devices not being discoverable in
GNOME's Bluetooth Settings
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Nov 17 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.66-4
- Move meshctl to deprecated
* Thu Nov 17 2022 Bastien Nocera <bnocera@redhat.com> - 5.66-3
- Fix handling of transient hostnames (#2143488)
* Mon Nov 14 2022 Bastien Nocera <bnocera@redhat.com> - 5.66-2
- Re-add wrongly removed non-upstreamed patch
* Fri Nov 11 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.66-1
- Update to 5.66
* Thu Sep 01 2022 Bastien Nocera <bnocera@redhat.com> - 5.65-3
+ bluez-5.65-3
- Update PowerState property patch to upstream version
* Wed Aug 31 2022 Bastien Nocera <bnocera@redhat.com> - 5.65-2
+ bluez-5.65-2
- Add PowerState property implementation
* Thu Jul 28 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.65-1
- Update to 5.65
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.64-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Mar 21 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.64-1
- Update to 5.64
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.63-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Adam Williamson <awilliam@redhat.com> - 5.63-2
- Update fix for MX mice to the one merged upstream
* Wed Jan 05 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.63-1
- Update to 5.63
* Sun Nov 07 2021 Adam Williamson <awilliam@redhat.com> - 5.62-2
- Revert an upstream change to fix problems with Logitech MX mice (#2019970)
* Wed Oct 13 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.62-1
- Update to 5.62
* Sun Aug 22 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.61-1
- Update to 5.61
* Tue Jul 27 2021 Bastien Nocera <bnocera@redhat.com> - 5.60-4
+ bluez-5.60-4
- Fix for CVE-2021-3658 (see rhbz#1984728)
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.60-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.60-2
- Rebuild for versioned symbols in json-c
* Thu Jul 08 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.60-1
- Update to 5.60
* Tue Jun 15 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.59-1
- Update to 5.59
* Mon May 03 2021 Benjamin Berg <bberg@redhat.com> - 5.58-2
- Fix rfkill reading
Resolves: #1944482
- Change all g_memdup calls to use g_memdup2
* Sun Apr 04 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.58-1
- Update to 5.58
* Sun Mar 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.56-4
- Fix for avdtp audio disconnexts
* Sun Mar 14 2021 Hans de Goede <hdegoede@redhat.com> - 5.56-3
- Drop obsolete udev rule + systemd service to call btattach on BT-HCIs
connected via UART from userspace, this is all handled in the kernel now
- Add the btmgmt util to the packaged files
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.56-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Sat Feb 27 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.56-1
- Update to 5.56
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.55-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sun Sep 13 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 5.55-2
- Split tools marked as deprecated to separate sub package (rhbz #1887569)
* Sun Sep 06 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 5.55-1
- Update to 5.55
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.54-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.54-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.54-2
- Rebuild (json-c)
* Sun Mar 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 5.54-1
- bluez 5.54
* Sun Feb 16 2020 Peter Robinson <pbrobinson@fedoraproject.org> 5.53-2
- Minor mesh updates
* Sun Feb 16 2020 Peter Robinson <pbrobinson@fedoraproject.org> 5.53-1
- bluez 5.53
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.52-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 12 2019 Peter Robinson <pbrobinson@fedoraproject.org> 5.52-3
- Minor bluetooth mesh improvements
* Mon Dec 02 2019 Lubomir Rintel <lkundrak@v3.sk> - 5.52-2
- Package the btvirt binary
* Sun Nov 3 2019 Peter Robinson <pbrobinson@fedoraproject.org> 5.52-1
- bluez 5.52
* Fri Sep 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 5.51-1
- bluez 5.51
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 06 2019 Bastien Nocera <bnocera@redhat.com> - 5.50-8
+ bluez-5.50-8
- Backport loads of fixes from upstream, including:
- dbus-broker support (#1711594)
- a2dp codecs discovery
- discoverability filter support (used in gnome-bluetooth, #1583442)
- sixaxis pairing fixes
* Tue Apr 16 2019 Eduardo Minguez <edu@linux.com> - 5.50-7
- Added avinfo
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 5.50-6
- Disable tests temporarily
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 5.50-5
- Rebuild for readline 8.0
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 27 2018 Bastien Nocera <bnocera@redhat.com> - 5.50-2
+ bluez-5.50-2
- Fixing CVE-2018-10910 (#1606373)
- Fix A2DP disconnections with some headsets
* Fri Sep 7 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.50-1
* Mon Jun 04 2018 Bastien Nocera <bnocera@redhat.com> - 5.50-1
+ bluez-5.50-1
- Update to 5.50 (#1504689)
* Fri Aug 24 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.49-6
+ bluez-5.49-6
- Disabling Mesh Networking for crypto issue while code reviewing.
* Tue Aug 14 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.49-5
+ bluez-5.49-5
- Fix accessing NULL adv_manager (#1602779)
- Update to 5.50
* Fri Apr 20 2018 Bastien Nocera <bnocera@redhat.com> - 5.49-3
+ bluez-5.49-3

481
coverity-workarounds.patch Normal file
View File

@ -0,0 +1,481 @@
From ad622447efc5429a5dc3f84c722a81cc41658e7e Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Mon, 5 Aug 2024 12:17:29 +0200
Subject: [PATCH 1/8] monitor: Work-around overflow_sink Case #01164573
Coverity thinks "len" can be negative, even though we check its value,
and exit the function if it is.
---
monitor/control.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/monitor/control.c b/monitor/control.c
index 62857b4b84de..40e8a3a90c05 100644
--- a/monitor/control.c
+++ b/monitor/control.c
@@ -1102,6 +1102,7 @@ static void client_callback(int fd, uint32_t events, void *user_data)
UINT16_MAX - data->offset > len)
return;
+ /* coverity[overflow] : FALSE */
data->offset += len;
while (data->offset >= MGMT_HDR_SIZE) {
--
2.45.2
From c2a1630f0e484c4330c565c56e9a26f8f1ae2664 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 30 Jul 2024 15:45:18 +0200
Subject: [PATCH 2/8] mesh/net: Work-around memory overallocation warning
Coverity doesn't realise that the "payload" struct was allocated past
its structure size, so quiet that warning.
Error: OVERRUN (CWE-119): [#def1] [important]
bluez-5.77/mesh/net.c:3276:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch.
bluez-5.77/mesh/net.c:3290:2: cond_at_most: Checking "msg_len <= 15" implies that "msg_len" may be up to 15 on the true branch.
bluez-5.77/mesh/net.c:3316:2: overrun-buffer-arg: Overrunning array "payload->buf" of 4 bytes by passing it to a function which accesses it at byte offset 14 using argument "msg_len" (which evaluates to 15). [Note: The source code implementation of the function has been overridden by a builtin model.]
3314| /* Setup OTA Network send */
3315| payload = mesh_sar_new(msg_len);
3316|-> memcpy(payload->buf, msg, msg_len);
3317| payload->len = msg_len;
3318| payload->src = src;
---
mesh/net.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mesh/net.c b/mesh/net.c
index ef6a3133859a..ca2cda8ec948 100644
--- a/mesh/net.c
+++ b/mesh/net.c
@@ -3306,6 +3306,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src,
/* Setup OTA Network send */
payload = mesh_sar_new(msg_len);
+ /* coverity[overrun-buffer-arg] : FALSE */
memcpy(payload->buf, msg, msg_len);
payload->len = msg_len;
payload->src = src;
--
2.45.2
From 6494fc8665f89b70b8e9d80b829eabc71a22278f Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 17 Jul 2024 12:51:56 +0200
Subject: [PATCH 3/8] shared/shell: Work-around SAT-45980 with wordexp()
Coverity sees a leak when one doesn't exist yet.
Error: RESOURCE_LEAK (CWE-772): [#def23] [important]
bluez-5.77/src/shared/shell.c:534:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv".
bluez-5.77/src/shared/shell.c:558:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
556| "Unable to parse optional command arguments: %s", opt);
557| free(opt);
558|-> return -EINVAL;
559| }
560|
---
src/shared/shell.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/shared/shell.c b/src/shared/shell.c
index 26c6a419af22..9d2b50b260f9 100644
--- a/src/shared/shell.c
+++ b/src/shared/shell.c
@@ -555,6 +555,7 @@ optional:
print_text(COLOR_HIGHLIGHT,
"Unable to parse optional command arguments: %s", opt);
free(opt);
+ /* coverity[leaked_storage : FALSE] */
return -EINVAL;
}
--
2.45.2
From 99c12a3e56129361ed50934054876126b1e55881 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 17 Jul 2024 11:28:17 +0200
Subject: [PATCH 4/8] sdp: Work-around #01163325 with single-linked list
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
bluez-5.77/lib/sdp.c:1896:4: alloc_fn: Storage is returned from allocation function "sdp_list_append".
bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)".
bluez-5.77/lib/sdp.c:1896:4: identity_transfer: Passing "pds" as argument 1 to function "sdp_list_append", which returns that argument.
bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)".
bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)".
bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)" leaks the storage that "pds" points to.
1894| goto failed;
1895| }
1896|-> pds = sdp_list_append(pds, curr->val.dataseq);
1897| }
1898|
Error: RESOURCE_LEAK (CWE-772): [#def3] [important]
bluez-5.77/lib/sdp.c:1899:3: alloc_fn: Storage is returned from allocation function "sdp_list_append".
bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)".
bluez-5.77/lib/sdp.c:1899:3: identity_transfer: Passing "ap" as argument 1 to function "sdp_list_append", which returns that argument.
bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)".
bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)".
bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)" leaks the storage that "ap" points to.
1897| }
1898|
1899|-> ap = sdp_list_append(ap, pds);
1900| }
1901|
Error: RESOURCE_LEAK (CWE-772): [#def17] [important]
bluez-5.77/src/sdp-client.c:197:3: alloc_fn: Storage is returned from allocation function "sdp_list_append".
bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)".
bluez-5.77/src/sdp-client.c:197:3: identity_transfer: Passing "recs" as argument 1 to function "sdp_list_append", which returns that argument.
bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)".
bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)".
bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append".
bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)" leaks the storage that "recs" points to.
195| }
196|
197|-> recs = sdp_list_append(recs, rec);
198| } while (scanned < (ssize_t) size && bytesleft > 0);
199|
---
lib/sdp.c | 2 ++
src/sdp-client.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/lib/sdp.c b/lib/sdp.c
index 8a15ad803db1..99efbc19c299 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -1893,9 +1893,11 @@ static int sdp_get_proto_descs(uint16_t attr_id, const sdp_record_t *rec,
sdp_list_free(pds, NULL);
goto failed;
}
+ /* coverity[overwrite_var] : FALSE */
pds = sdp_list_append(pds, curr->val.dataseq);
}
+ /* coverity[overwrite_var] : FALSE */
ap = sdp_list_append(ap, pds);
}
diff --git a/src/sdp-client.c b/src/sdp-client.c
index 71d3d9e95044..2f043cb7f010 100644
--- a/src/sdp-client.c
+++ b/src/sdp-client.c
@@ -194,6 +194,7 @@ static void search_completed_cb(uint8_t type, uint16_t status,
continue;
}
+ /* coverity[overwrite_var] : FALSE */
recs = sdp_list_append(recs, rec);
} while (scanned < (ssize_t) size && bytesleft > 0);
--
2.45.2
From 6fcbf34a02133628a1a8afeabb093270ca89dbb8 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 18 Jul 2024 15:05:07 +0200
Subject: [PATCH 5/8] mesh: Quiet imprecise "overrun-buffer-val" #01163326
Error: OVERRUN (CWE-119): [#def1] [important]
bluez-5.77/mesh/friend.c:326:2: overrun-buffer-val: Overrunning array "msg" of 5 bytes by passing it to a function which accesses it at byte offset 12.
324| l_put_be16(neg->lp_addr, msg + 1);
325| l_put_be16(neg->lp_cnt, msg + 3);
326|-> mesh_net_transport_send(neg->net, 0, 0,
327| mesh_net_get_iv_index(neg->net), DEFAULT_TTL,
328| 0, 0, neg->old_friend,
Error: OVERRUN (CWE-119): [#def2] [important]
bluez-5.77/mesh/net.c:276:2: overrun-buffer-val: Overrunning array "msg" of 4 bytes by passing it to a function which accesses it at byte offset 12.
274| n += 2;
275|
276|-> mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net),
277| pub->ttl, 0, 0, pub->dst, msg, n);
278| }
Error: OVERRUN (CWE-119): [#def3] [important]
bluez-5.77/mesh/net.c:1463:3: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12.
1461| mesh_net_next_seq_num(net), 0, dst, msg);
1462| } else {
1463|-> mesh_net_transport_send(net, 0, 0,
1464| mesh_net_get_iv_index(net), DEFAULT_TTL,
1465| 0, 0, dst, msg, sizeof(msg));
Error: OVERRUN (CWE-119): [#def4] [important]
bluez-5.77/mesh/net.c:1498:2: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12.
1496| }
1497|
1498|-> mesh_net_transport_send(net, 0, sar->net_idx,
1499| mesh_net_get_iv_index(net), DEFAULT_TTL,
1500| 0, src, dst, msg,
Error: OVERRUN (CWE-119): [#def6] [important]
bluez-5.77/mesh/net.c:2053:3: overrun-buffer-val: Overrunning array "sar_in->buf" of 4 bytes by passing it to a function which accesses it at byte offset 11.
2051| send_net_ack(net, sar_in, expected);
2052|
2053|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
2054| sar_in->remote, dst, key_aid, true, szmic,
2055| sar_in->seqZero, sar_in->buf, sar_in->len);
---
mesh/friend.c | 1 +
mesh/net.c | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/mesh/friend.c b/mesh/friend.c
index 5b73da68916f..bb8f62e9f57f 100644
--- a/mesh/friend.c
+++ b/mesh/friend.c
@@ -323,6 +323,7 @@ static void clear_retry(struct l_timeout *timeout, void *user_data)
l_put_be16(neg->lp_addr, msg + 1);
l_put_be16(neg->lp_cnt, msg + 3);
+ /* coverity[overrun-buffer-val] : FALSE */
mesh_net_transport_send(neg->net, 0, 0,
mesh_net_get_iv_index(neg->net), DEFAULT_TTL,
0, 0, neg->old_friend,
diff --git a/mesh/net.c b/mesh/net.c
index ca2cda8ec948..9d6c2ae5142f 100644
--- a/mesh/net.c
+++ b/mesh/net.c
@@ -273,6 +273,7 @@ static void send_hb_publication(void *data)
l_put_be16(net->features, msg + n);
n += 2;
+ /* coverity[overrun-buffer-val] : FALSE */
mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net),
pub->ttl, 0, 0, pub->dst, msg, n);
}
@@ -1460,6 +1461,7 @@ static void send_frnd_ack(struct mesh_net *net, uint16_t src, uint16_t dst,
friend_ack_rxed(net, mesh_net_get_iv_index(net),
mesh_net_next_seq_num(net), 0, dst, msg);
} else {
+ /* coverity[overrun-buffer-val] : FALSE */
mesh_net_transport_send(net, 0, 0,
mesh_net_get_iv_index(net), DEFAULT_TTL,
0, 0, dst, msg, sizeof(msg));
@@ -1495,6 +1497,7 @@ static void send_net_ack(struct mesh_net *net, struct mesh_sar *sar,
return;
}
+ /* coverity[overrun-buffer-val] : FALSE */
mesh_net_transport_send(net, 0, sar->net_idx,
mesh_net_get_iv_index(net), DEFAULT_TTL,
0, src, dst, msg,
@@ -2050,6 +2053,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
/* Got it all */
send_net_ack(net, sar_in, expected);
+ /* coverity[overrun-buffer-val] : FALSE */
msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
sar_in->remote, dst, key_aid, true, szmic,
sar_in->seqZero, sar_in->buf, sar_in->len);
--
2.45.2
From 91066706378840f28146e51702e3ed8c1780dcd9 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 18 Jul 2024 15:37:58 +0200
Subject: [PATCH 6/8] mesh: Quiet imprecise "overrun-buffer-val" #01163327
Those errors are incorrect, as just before the flagged function calls,
the packet is modified to flag for a "segmented" packet, which is
handled differently, so nothing is accessed past the array size.
Error: OVERRUN (CWE-119): [#def5] [important]
bluez-5.77/mesh/net.c:1769:3: cond_at_least: Checking "size > 15" implies that "size" is at least 16 on the true branch.
bluez-5.77/mesh/net.c:1776:3: overrun-call: Overrunning callee's array of size 15 by passing argument "size" (which evaluates to 16) in call to "friend_packet_queue".
1774| }
1775|
1776|-> if (friend_packet_queue(net, iv_index, false, frnd_ttl,
1777| seq, src, dst,
1778| hdr, data, size))
Error: OVERRUN (CWE-119): [#def2] [important]
bluez-5.77/mesh/net.c:2016:3: cond_at_least: Checking "segN" implies that "segN" is at least 1 on the true branch.
bluez-5.77/mesh/net.c:2016:3: assignment: Assigning: "len" = "segN ? (segN + 1) * 12 : 15". The value of "len" is now at least 24.
bluez-5.77/mesh/net.c:2028:3: assignment: Assigning: "sar_in->len" = "len". The value of "sar_in->len" is now at least 24.
bluez-5.77/mesh/net.c:2058:3: overrun-call: Overrunning callee's array of size 15 by passing argument "sar_in->len" (which evaluates to 24) in call to "msg_rxed".
2056|
2057| /* coverity[overrun-buffer-val] : FALSE */
2058|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
2059| sar_in->remote, dst, key_aid, true, szmic,
2060| sar_in->seqZero, sar_in->buf, sar_in->len);
Error: OVERRUN (CWE-119): [#def4] [important]
bluez-5.77/mesh/net.c:3266:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch.
bluez-5.77/mesh/net.c:3280:2: cond_between: Checking "msg_len <= 15" implies that "msg_len" is between 16 and 384 (inclusive) on the false branch.
bluez-5.77/mesh/net.c:3284:2: overrun-call: Overrunning callee's array of size 15 by passing argument "msg_len" (which evaluates to 384) in call to "msg_rxed".
3282|
3283| /* First enqueue to any Friends and internal models */
3284|-> result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst,
3285| key_aid, segmented, szmic, seq & SEQ_ZERO_MASK,
3286| msg, msg_len);
---
mesh/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mesh/net.c b/mesh/net.c
index 9d6c2ae5142f..30dcdb2fe517 100644
--- a/mesh/net.c
+++ b/mesh/net.c
@@ -1776,6 +1776,7 @@ static bool msg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
hdr |= SEG_MAX(true, size) << SEGN_HDR_SHIFT;
}
+ /* coverity[overrun-call] : FALSE */
if (friend_packet_queue(net, iv_index, false, frnd_ttl,
seq, src, dst,
hdr, data, size))
@@ -2054,6 +2055,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
send_net_ack(net, sar_in, expected);
/* coverity[overrun-buffer-val] : FALSE */
+ /* coverity[overrun-call] : FALSE */
msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
sar_in->remote, dst, key_aid, true, szmic,
sar_in->seqZero, sar_in->buf, sar_in->len);
@@ -3289,6 +3291,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src,
segmented |= !!(seg_max);
/* First enqueue to any Friends and internal models */
+ /* coverity[overrun-call] : FALSE */
result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst,
key_aid, segmented, szmic, seq & SEQ_ZERO_MASK,
msg, msg_len);
--
2.45.2
From 1a1239f998ca15dd233e2adaa2ce12f4ae97e5d1 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 19 Jul 2024 15:06:24 +0200
Subject: [PATCH 7/8] shared/gatt-db: Work-around overrun-buffer-arg case
#01163328
Despite the checks added, Coverity still thinks that uuid_to_le() can
return more than 16 (for UUID128 / 8), so quiet those.
Error: OVERRUN (CWE-119): [#def6] [important]
bluez-5.77/src/shared/gatt-db.c:612:2: assignment: Assigning: "len" = "uuid_to_le(uuid, value)". The value of "len" is now between 0 and 31 (inclusive).
bluez-5.77/src/shared/gatt-db.c:614:2: overrun-buffer-arg: Overrunning array "value" of 16 bytes by passing it to a function which accesses it at byte offset 30 using argument "len" (which evaluates to 31).
612| len = uuid_to_le(uuid, value);
613|
614|-> service->attributes[0] = new_attribute(service, handle, type, value,
615| len);
616| if (!service->attributes[0]) {
Error: OVERRUN (CWE-119): [#def7] [important]
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
bluez-5.77/src/shared/gatt-db.c:978:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34).
976| len += uuid_to_le(uuid, &value[3]);
977|
978|-> service->attributes[i] = new_attribute(service, handle,
979| &characteristic_uuid,
980| value, len);
Error: OVERRUN (CWE-119): [#def8] [important]
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
bluez-5.77/src/shared/gatt-db.c:1005:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34).
1003| /* Update handle of characteristic value_handle if it has changed */
1004| put_le16(value_handle, &value[1]);
1005|-> if (memcmp((*chrc)->value, value, len))
1006| memcpy((*chrc)->value, value, len);
1007|
Error: OVERRUN (CWE-119): [#def9] [important]
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
bluez-5.77/src/shared/gatt-db.c:1006:3: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34). [Note: The source code implementation of the function has been overridden by a builtin model.]
1004| put_le16(value_handle, &value[1]);
1005| if (memcmp((*chrc)->value, value, len))
1006|-> memcpy((*chrc)->value, value, len);
1007|
1008| set_attribute_data(service->attributes[i], read_func, write_func,
---
src/shared/gatt-db.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
index cd0eba6bf1d0..9045a53c6dfe 100644
--- a/src/shared/gatt-db.c
+++ b/src/shared/gatt-db.c
@@ -616,6 +616,7 @@ static struct gatt_db_service *gatt_db_service_create(const bt_uuid_t *uuid,
len = uuid_to_le(uuid, value);
+ /* coverity[overrun-buffer-arg] : FALSE */
service->attributes[0] = new_attribute(service, handle, type, value,
len);
if (!service->attributes[0]) {
@@ -980,6 +981,7 @@ service_insert_characteristic(struct gatt_db_service *service,
len += sizeof(uint16_t);
len += uuid_to_le(uuid, &value[3]);
+ /* coverity[overrun-buffer-arg] : FALSE */
service->attributes[i] = new_attribute(service, handle,
&characteristic_uuid,
value, len);
@@ -1007,8 +1009,11 @@ service_insert_characteristic(struct gatt_db_service *service,
/* Update handle of characteristic value_handle if it has changed */
put_le16(value_handle, &value[1]);
- if (memcmp((*chrc)->value, value, len))
+ /* coverity[overrun-buffer-arg] : FALSE */
+ if (memcmp((*chrc)->value, value, len)) {
+ /* coverity[overrun-buffer-arg] : FALSE */
memcpy((*chrc)->value, value, len);
+ }
set_attribute_data(service->attributes[i], read_func, write_func,
permissions, user_data);
--
2.45.2
From cddd78cb6d2a780b352e27ea5e7e44378f8a8ef4 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 30 Jul 2024 15:27:49 +0200
Subject: [PATCH 8/8] shared/btsnoop: Work-around underflow case #01163329
It should be impossible to have toread underflow, as we check that it
has a value of at least 1 when decremented, and that we check for it
have a non-zero value before using it.
---
src/shared/btsnoop.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
index bb0bccf0dd01..12f960ec353d 100644
--- a/src/shared/btsnoop.c
+++ b/src/shared/btsnoop.c
@@ -553,6 +553,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
btsnoop->aborted = true;
return false;
}
+ /* coverity[underflow] : FALSE */
toread--;
*index = 0;
--
2.45.2

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

5
rpminspect.yaml Normal file
View File

@ -0,0 +1,5 @@
---
badfuncs:
allowed:
/usr/bin/btmon:
- inet_addr

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (bluez-5.77.tar.xz) = cf0faba4ddbfe6cc3c2d86cbd809483ed82327cbd7e4970ef53cf19053de7b355a505cab88844aebe7a6aa1947ec7a366250d3cbf48cf309db413d287289ff99

353
static-analysis-issues-6.patch Normal file
View File

@ -0,0 +1,353 @@
From bdf5fd2a0156e9070e1e55777b4a71033160fbf1 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 17 Jul 2024 12:37:16 +0200
Subject: [PATCH 1/8] sdp: Ensure size doesn't overflow
Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important]
bluez-5.77/lib/sdp.c:1685:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted.
bluez-5.77/lib/sdp.c:1686:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed.
bluez-5.77/lib/sdp.c:1686:3: overflow_sink: "size - sent", which might have underflowed, is passed to "send(session->sock, buf + sent, size - sent, 0)".
1684|
1685| while (sent < size) {
1686|-> int n = send(session->sock, buf + sent, size - sent, 0);
1687| if (n < 0)
1688| return -1;
---
lib/sdp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/sdp.c b/lib/sdp.c
index 411a95b8a7d3..8a15ad803db1 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -1678,13 +1678,13 @@ sdp_data_t *sdp_data_get(const sdp_record_t *rec, uint16_t attrId)
return NULL;
}
-static int sdp_send_req(sdp_session_t *session, uint8_t *buf, uint32_t size)
+static int sdp_send_req(sdp_session_t *session, uint8_t *buf, size_t size)
{
- uint32_t sent = 0;
+ size_t sent = 0;
while (sent < size) {
int n = send(session->sock, buf + sent, size - sent, 0);
- if (n < 0)
+ if (n < 0 || sent > SIZE_MAX - n)
return -1;
sent += n;
}
--
2.45.2
From 062c998fb5c407bc09d6124324b1bd393997bfee Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 18 Jul 2024 15:43:35 +0200
Subject: [PATCH 2/8] tools/isotest: Ensure ret doesn't overflow
Error: INTEGER_OVERFLOW (CWE-190): [#def20] [important]
bluez-5.77/tools/isotest.c:778:2: tainted_data_argument: The check "ret < count" contains the tainted expression "ret" which causes "count" to be considered tainted.
bluez-5.77/tools/isotest.c:779:3: overflow: The expression "count - ret" is deemed overflowed because at least one of its arguments has overflowed.
bluez-5.77/tools/isotest.c:779:3: overflow_sink: "count - ret", which might have underflowed, is passed to "read(fd, buf + ret, count - ret)". [Note: The source code implementation of the function has been overridden by a builtin model.]
777|
778| while (ret < count) {
779|-> len = read(fd, buf + ret, count - ret);
780| if (len < 0)
781| return -errno;
---
tools/isotest.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/isotest.c b/tools/isotest.c
index 2cac0e49cc39..0805faa66e47 100644
--- a/tools/isotest.c
+++ b/tools/isotest.c
@@ -779,6 +779,8 @@ static int read_stream(int fd, ssize_t count)
len = read(fd, buf + ret, count - ret);
if (len < 0)
return -errno;
+ if (len > SSIZE_MAX - ret)
+ return -EOVERFLOW;
ret += len;
usleep(1000);
--
2.45.2
From 122a888962765010162306f19fccf77333e1bc1b Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 18 Jul 2024 15:45:47 +0200
Subject: [PATCH 3/8] health: mcap: Ensure sent doesn't overflow
Error: INTEGER_OVERFLOW (CWE-190): [#def13] [important]
bluez-5.77/profiles/health/mcap.c:390:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted.
bluez-5.77/profiles/health/mcap.c:391:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed.
bluez-5.77/profiles/health/mcap.c:391:3: overflow_sink: "size - sent", which might have underflowed, is passed to "write(sock, buf_b + sent, size - sent)".
389|
390| while (sent < size) {
391|-> int n = write(sock, buf_b + sent, size - sent);
392| if (n < 0)
393| return -1;
---
profiles/health/mcap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c
index 2e4214a6984f..b3bf403e74d2 100644
--- a/profiles/health/mcap.c
+++ b/profiles/health/mcap.c
@@ -389,7 +389,7 @@ int mcap_send_data(int sock, const void *buf, uint32_t size)
while (sent < size) {
int n = write(sock, buf_b + sent, size - sent);
- if (n < 0)
+ if (n < 0 || n > SSIZE_MAX - sent)
return -1;
sent += n;
}
--
2.45.2
From fce37c2100a043fce99fbe2e8c8171406b841fae Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 19 Jul 2024 11:26:45 +0200
Subject: [PATCH 4/8] shared/tester: Add early failure check
Add a similar assertion to the other tests to avoid passing negative len
to tester_monitor() which might result in crashes.
Error: OVERRUN (CWE-119): [#def13] [important]
bluez-5.77/src/shared/tester.c:946:2: return_constant: Function call "io_send(io, iov, 1)" may return -107.
bluez-5.77/src/shared/tester.c:946:2: assignment: Assigning: "len" = "io_send(io, iov, 1)". The value of "len" is now -107.
bluez-5.77/src/shared/tester.c:948:2: overrun-buffer-arg: Calling "tester_monitor" with "iov->iov_base" and "len" is suspicious because of the very large index, 18446744073709551509. The index may be due to a negative parameter being interpreted as unsigned.
946| len = io_send(io, iov, 1);
947|
948|-> tester_monitor('<', 0x0004, 0x0000, iov->iov_base, len);
949|
950| g_assert_cmpint(len, ==, iov->iov_len);
---
src/shared/tester.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/shared/tester.c b/src/shared/tester.c
index 56c8cba6f578..3053025d7945 100644
--- a/src/shared/tester.c
+++ b/src/shared/tester.c
@@ -945,6 +945,8 @@ static bool test_io_send(struct io *io, void *user_data)
len = io_send(io, iov, 1);
+ g_assert(len > 0);
+
tester_monitor('<', 0x0004, 0x0000, iov->iov_base, len);
g_assert_cmpint(len, ==, iov->iov_len);
--
2.45.2
From 5078e205d5892048cb1243ce2977dcf8eb0c02fc Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Mon, 29 Jul 2024 13:53:41 +0200
Subject: [PATCH 5/8] mesh: Fix possible integer overflow
Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important]
bluez-5.77/mesh/net.c:3164:4: cast_overflow: Truncation due to cast operation on "msg->len - seg_off" from 32 to 8 bits.
bluez-5.77/mesh/net.c:3164:4: overflow_assign: "seg_len" is assigned from "msg->len - seg_off".
bluez-5.77/mesh/net.c:3178:2: overflow_sink: "seg_len", which might have overflowed, is passed to "mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src, msg->remote, 0, msg->segmented, msg->key_aid, msg->szmic, false, msg->seqZero, segO, segN, msg->buf + seg_off, seg_len, packet + 1, &packet_len)".
3176|
3177| /* TODO: Are we RXing on an LPN's behalf? Then set RLY bit */
3178|-> if (!mesh_crypto_packet_build(false, msg->ttl, seq_num, msg->src,
3179| msg->remote, 0, msg->segmented,
3180| msg->key_aid, msg->szmic, false,
X
---
mesh/net.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/mesh/net.c b/mesh/net.c
index 05ca48326fc5..ef6a3133859a 100644
--- a/mesh/net.c
+++ b/mesh/net.c
@@ -3149,13 +3149,22 @@ static bool send_seg(struct mesh_net *net, uint8_t cnt, uint16_t interval,
uint32_t seq_num;
if (msg->segmented) {
+ if (msg->len < seg_off) {
+ l_error("Failed to build packet");
+ return false;
+ }
/* Send each segment on unique seq_num */
seq_num = mesh_net_next_seq_num(net);
- if (msg->len - seg_off > SEG_OFF(1))
+ if (msg->len - seg_off > SEG_OFF(1)) {
seg_len = SEG_OFF(1);
- else
+ } else {
+ if (msg->len - seg_off > UINT8_MAX) {
+ l_error("Failed to build packet");
+ return false;
+ }
seg_len = msg->len - seg_off;
+ }
} else {
/* Send on same seq_num used for Access Layer */
seq_num = msg->seqAuth;
--
2.45.2
From c37f2cdd4b8fa66fc97d423c4c980865b4793ef2 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 19 Jul 2024 14:27:54 +0200
Subject: [PATCH 6/8] shared/gatt-db: Fix possible buffer overrun
uuid_to_le() returns one of the possible values from bt_uuid_len().
bt_uuid_len() returns "type / 8".
type is a value between 0 and 128, but could be something else
depending on the validity of the UUID that's parsed. So an invalid
value of type between 128 and 256 would trigger an overrun.
Add a check to make sure that an invalid type isn't used to calculate
the length.
Error: OVERRUN (CWE-119): [#def6] [important]
bluez-5.77/src/shared/gatt-db.c:612:2: assignment: Assigning: "len" = "uuid_to_le(uuid, value)". The value of "len" is now between 0 and 31 (inclusive).
bluez-5.77/src/shared/gatt-db.c:614:2: overrun-buffer-arg: Overrunning array "value" of 16 bytes by passing it to a function which accesses it at byte offset 30 using argument "len" (which evaluates to 31).
612| len = uuid_to_le(uuid, value);
613|
614|-> service->attributes[0] = new_attribute(service, handle, type, value,
615| len);
616| if (!service->attributes[0]) {
---
src/shared/gatt-db.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
index b35763410d17..cd0eba6bf1d0 100644
--- a/src/shared/gatt-db.c
+++ b/src/shared/gatt-db.c
@@ -560,9 +560,14 @@ static int uuid_to_le(const bt_uuid_t *uuid, uint8_t *dst)
return bt_uuid_len(uuid);
}
- bt_uuid_to_uuid128(uuid, &uuid128);
- bswap_128(&uuid128.value.u128, dst);
- return bt_uuid_len(&uuid128);
+ if (uuid->type == BT_UUID32 ||
+ uuid->type == BT_UUID128) {
+ bt_uuid_to_uuid128(uuid, &uuid128);
+ bswap_128(&uuid128.value.u128, dst);
+ return bt_uuid_len(&uuid128);
+ }
+
+ return 0;
}
static bool le_to_uuid(const uint8_t *src, size_t len, bt_uuid_t *uuid)
--
2.45.2
From b7cb9a4bc9b94ded15be812d1d444d0ace4a886d Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 19 Jul 2024 11:29:15 +0200
Subject: [PATCH 7/8] shared/btsnoop: Avoid underflowing toread variable
Error: INTEGER_OVERFLOW (CWE-190): [#def8] [important]
bluez-5.77/src/shared/btsnoop.c:556:3: underflow: The decrement operator on the unsigned variable "toread" might result in an underflow.
bluez-5.77/src/shared/btsnoop.c:572:2: overflow_sink: "toread", which might have underflowed, is passed to "read(btsnoop->fd, data, toread)". [Note: The source code implementation of the function has been overridden by a builtin model.]
570| }
571|
572|-> len = read(btsnoop->fd, data, toread);
573| if (len < 0) {
574| btsnoop->aborted = true;
---
src/shared/btsnoop.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
index bc5f7fcbe84c..bb0bccf0dd01 100644
--- a/src/shared/btsnoop.c
+++ b/src/shared/btsnoop.c
@@ -530,7 +530,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
}
toread = be32toh(pkt.len);
- if (toread > BTSNOOP_MAX_PACKET_SIZE) {
+ if (toread > BTSNOOP_MAX_PACKET_SIZE || toread < 1) {
btsnoop->aborted = true;
return false;
}
@@ -569,6 +569,11 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
return false;
}
+ if (toread == 0) {
+ btsnoop->aborted = true;
+ return false;
+ }
+
len = read(btsnoop->fd, data, toread);
if (len < 0) {
btsnoop->aborted = true;
--
2.45.2
From 354babc88eb98970a9f59056b41854b0f0f87859 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 19 Jul 2024 15:14:26 +0200
Subject: [PATCH 8/8] monitor: Check for possible integer underflow
Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important]
bluez-5.77/monitor/control.c:1094:2: tainted_data_return: Called function "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)", and a possible return value may be less than zero.
bluez-5.77/monitor/control.c:1094:2: assign: Assigning: "len" = "recv(data->fd, data->buf + data->offset, 1490UL - data->offset, MSG_DONTWAIT)".
bluez-5.77/monitor/control.c:1099:2: overflow: The expression "data->offset" is considered to have possibly overflowed.
bluez-5.77/monitor/control.c:1115:3: overflow: The expression "data->offset -= pktlen + 6" is deemed overflowed because at least one of its arguments has overflowed.
bluez-5.77/monitor/control.c:1118:4: overflow_sink: "data->offset", which might have underflowed, is passed to "memmove(data->buf, data->buf + 6 + pktlen, data->offset)". [Note: The source code implementation of the function has been overridden by a builtin model.]
1116|
1117| if (data->offset > 0)
1118|-> memmove(data->buf, data->buf + MGMT_HDR_SIZE + pktlen,
1119| data->offset);
1120| }
---
monitor/control.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/monitor/control.c b/monitor/control.c
index 009cf15209f0..62857b4b84de 100644
--- a/monitor/control.c
+++ b/monitor/control.c
@@ -18,6 +18,7 @@
#include <stdbool.h>
#include <stddef.h>
#include <errno.h>
+#include <limits.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
@@ -1091,9 +1092,14 @@ static void client_callback(int fd, uint32_t events, void *user_data)
return;
}
+ if (sizeof(data->buf) <= data->offset)
+ return;
+
len = recv(data->fd, data->buf + data->offset,
sizeof(data->buf) - data->offset, MSG_DONTWAIT);
- if (len < 0)
+ if (len < 0 ||
+ len > UINT16_MAX ||
+ UINT16_MAX - data->offset > len)
return;
data->offset += len;
--
2.45.2