From patchwork Wed Sep 13 19:12:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 112487 Delivered-To: patch@linaro.org Received: by 10.140.106.117 with SMTP id d108csp1294656qgf; Wed, 13 Sep 2017 12:12:16 -0700 (PDT) X-Received: by 10.99.109.65 with SMTP id i62mr18390397pgc.83.1505329936117; Wed, 13 Sep 2017 12:12:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1505329936; cv=none; d=google.com; s=arc-20160816; b=UcVpRFr8vYTplkT3CTxhTyT8MGBhSP5jcCMefOXCTiJPosqn5j49WvxBnWeCbqVhiF 6f2varBQ6+nRn8GeNUTfFLemX/9a4zqQyXXuHuSG8cghCgilIeP9yMtjkuLUZVQUo8VD sTzEwObQT1dQEWYvO0ae1U0L6chkfSPpI3AnYKr9nq2JTcAogGKJeitpJYQrm7am2u9t GOU3W58mEbCzyr/wI+uV5Nmm7L2p8fCt1bZES/UkoNKIu8v+aY0VbJXKyuT7OlM7C53r vz90cAie9/TxHVesBiGJbgmB+P96oRMT4cT7Pj4pFqCLQaMKqvscswayWbCo/XKt9vjA cK2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=iQjGO80S9pJjh6+Sy3H0zBKplgdNYfwTVgcwJL3ho6I=; b=Pl3IuQtZDjd9WW+9Zw/ljxk4H533iCV49DbqsQSEx77ol37gn2rwjMj6onUxC6Hia8 5qREuIMCIvXgirzEhocH3f/aNsRrEpBIB0Od7yp7ro7OWWHJujuyoZsFAnHRjXYYlVNH NG8uHaFRciLS/BoRAmBzga7jWtRBd2nYc7yU9OKYMjnvn/KZ4Zl3xEdp0ZV/Ll+9UwHz 7sk9JCgp9bmVXI0+Lu6yUbj1DGoL338io3vwA4tLrPWBGaNkCy6EljHduWGVINHncwGR YKk06QwQOziZKkCyopke3EkGh6L4jYwIPb8A/KaS+YWL0yxJKYF5HS3UEWEiR9o68gIh Q2eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=MIT1CDa8; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id n7si11917079plk.305.2017.09.13.12.12.15; Wed, 13 Sep 2017 12:12:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=MIT1CDa8; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 70ABE78688; Wed, 13 Sep 2017 19:12:13 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by mail.openembedded.org (Postfix) with ESMTP id 950DB7861F for ; Wed, 13 Sep 2017 19:12:12 +0000 (UTC) Received: by mail-wm0-f41.google.com with SMTP id 189so166843wmh.1 for ; Wed, 13 Sep 2017 12:12:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=Ydv0CWLEtnez3IhOt45uzvSwVwkKHVQKlaVVvL69LQM=; b=MIT1CDa8VYdE+C6Wtj4c6PCWDKDgWoeDVjpPpyI/acRSKYI8lPHlEvL8nZt5iRYi/C 7I3MdxmXXZP4AayWI2VX7XIcP6/zVhVorRcL6y/x5oaMZ96VIvS4lQS6h20xEqa653/Z +1hOc/iUrJP4YDdgR/xmTnAZY4a2f9fpS84XAuT3wDjBlkP1IBNKGp7B1HKD2uhpBXxC PjaSDw/w52odjcsw58OlxjnPwnzKz/wwVMB9Kh0YnKss2MqI/rTW1UMB9Pi5K9dpcv4o pQTOt/c61y+ndJ8nKHv58ue5D8C7Zpdjp7/AYrAW45fB9R1QiA6clwM690qhOR3K36U6 0usw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=Ydv0CWLEtnez3IhOt45uzvSwVwkKHVQKlaVVvL69LQM=; b=LLYMopsFfSHDd2lCJ9e3zXAWS7GdTNfHo6QKTPQxme8f1Id8tD4OIBfSYkPYwdPGy4 IydC30gylHRNUkR5alkadedsMZsWIgygsX0SnXsaCa18HArb3Y/yytyo5ExoSABuk/75 zwPV06kOzARBqnyGvivkscVfsNcvX/xv9u8zswsVISbB4jTp3Y+MomLL/x34BCPefu2j pc85lMkxpI5jNW7amJzCrf9JwBF/7RPAatyeQl+ifnGwN3eMw7FraRBSsGE5ljA7sdpS uYFE3Zgz/7UUuf1JVvrz9KK9l0leA2C9T53y+CBeKvFy/feuvMXXYcBnytmE0rSWVgCq 3aiA== X-Gm-Message-State: AHPjjUiTyRyiMIaHyHZuxZL9KAZvyXuCwbJKyMb3WnehWocRqWSCzp+m wxv5nGDXQwVX6rZTuFocTE1eRrdV X-Google-Smtp-Source: AOwi7QCpdJxEkHjJbqrooVTkUJiRZthuaNLxtBw09e46zDbQ7nirCBM+Ce9onJx3Q9358oigD2zlnA== X-Received: by 10.28.184.141 with SMTP id i135mr3607862wmf.143.1505329932936; Wed, 13 Sep 2017 12:12:12 -0700 (PDT) Received: from flashheart.burtonini.com (home.burtonini.com. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id o27sm8055640wro.72.2017.09.13.12.12.11 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Sep 2017 12:12:12 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Wed, 13 Sep 2017 20:12:08 +0100 Message-Id: <20170913191208.5379-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH][pyro] bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250) X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. Signed-off-by: Ross Burton --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/cve-2017-1000250.patch | 34 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index ccb10aaad9a..882873a486e 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -24,6 +24,7 @@ SRC_URI = "\ file://run-ptest \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ + file://cve-2017-1000250.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch new file mode 100644 index 00000000000..9fac961bcf6 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch @@ -0,0 +1,34 @@ +All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an +information disclosure vulnerability which allows remote attackers to obtain +sensitive information from the bluetoothd process memory. This vulnerability +lies in the processing of SDP search attribute requests. + +CVE: CVE-2017-1000250 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 13 Sep 2017 10:01:40 +0300 +Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function + +Check if there is enough data to continue otherwise return an error. +--- + src/sdpd-request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sdpd-request.c b/src/sdpd-request.c +index 1eefdce..318d044 100644 +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) + } else { + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); +- if (pCache) { ++ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) { + uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); + pResponse = pCache->data; + memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +-- +cgit v1.1