From: Minjae Kim <flowergom@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Minjae Kim <flowergom@gmail.com>
Subject: [dunfell][PATCH] bluez5: fix CVE-2021-3658
Date: Sat, 19 Mar 2022 23:40:52 +0100 [thread overview]
Message-ID: <20220319224052.43178-1-flowergom@gmail.com> (raw)
adapter incorrectly restores Discoverable state after powered down
Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
CVE: CVE-2021-3658
Signed-off-by:Minjae Kim <flowergom@gmail.com>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2021-3658.patch | 95 +++++++++++++++++++
2 files changed, 96 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 34796fdd20..7cf061dcf6 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -54,6 +54,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-test-gatt-Fix-hung-issue.patch \
file://CVE-2021-0129.patch \
file://CVE-2021-3588.patch \
+ file://CVE-2021-3658.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
++++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+ if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+ g_dbus_emit_property_changed(dbus_conn, adapter->path,
+ ADAPTER_INTERFACE, "Discoverable");
+- store_adapter_info(adapter);
++ /* Only persist discoverable setting if it was not set
++ * temporarily by discovery.
++ */
++ if (!adapter->discovery_discoverable)
++ store_adapter_info(adapter);
+ btd_adv_manager_refresh(adapter->adv_manager);
+ }
+
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+ struct mgmt_cp_start_service_discovery *sd_cp;
+- GSList *l;
+-
+
+ DBG("");
+
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ return -ENOMEM;
+ }
+
+- for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+- struct discovery_client *client = l->data;
++ /* Only attempt to overwrite current discoverable setting when not
++ * discoverable.
++ */
++ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
++ GSList *l;
+
+- if (!client->discovery_filter)
+- continue;
++ for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
++ struct discovery_client *client = l->data;
+
+- if (client->discovery_filter->discoverable)
+- break;
+- }
++ if (!client->discovery_filter)
++ continue;
+
+- set_discovery_discoverable(adapter, l ? true : false);
++ if (client->discovery_filter->discoverable) {
++ set_discovery_discoverable(adapter, true);
++ break;
++ }
++ }
++ }
+
+ /*
+ * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+ return 0;
+ }
+
+- if (adapter->discovery_discoverable)
+- set_discovery_discoverable(adapter, false);
++ set_discovery_discoverable(adapter, false);
+
+ /*
+ * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+ g_free(adapter->current_discovery_filter);
+ adapter->current_discovery_filter = NULL;
+
++ set_discovery_discoverable(adapter, false);
+ adapter->discovering = false;
+
+ while (adapter->connections) {
+--
+2.25.1
+
--
2.25.1
reply other threads:[~2022-03-19 22:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220319224052.43178-1-flowergom@gmail.com \
--to=flowergom@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.