[morty] bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250)

Message ID 20170914122753.12713-1-ross.burton@intel.com
State New
Headers show
Series
  • [morty] bluez5: fix out-of-bounds access in SDP server (CVE-2017-1000250)
Related show

Commit Message

Burton, Ross Sept. 14, 2017, 12:27 p.m.
All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
information disclosure vulnerability which allows remote attackers to obtain
sensitive information from the bluetoothd process memory. This vulnerability
lies in the processing of SDP search attribute requests.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-connectivity/bluez5/bluez5.inc        |  1 +
 .../bluez5/bluez5/cve-2017-1000250.patch           | 34 ++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

-- 
2.11.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Bruce Ashfield Sept. 14, 2017, 1:13 p.m. | #1
.. and if anyone notices, there's a kernel part to this CVE as well.

I've applied to fix to all the active linux-yocto kernels, and the change
will be part
of my consolidated pull request that comes out later today.

Cheers,

Bruce

On Thu, Sep 14, 2017 at 8:27 AM, Ross Burton <ross.burton@intel.com> wrote:

> All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to

> an

> information disclosure vulnerability which allows remote attackers to

> obtain

> sensitive information from the bluetoothd process memory. This

> vulnerability

> lies in the processing of SDP search attribute requests.

>

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/bluez5/bluez5.inc        |  1 +

>  .../bluez5/bluez5/cve-2017-1000250.patch           | 34

> ++++++++++++++++++++++

>  2 files changed, 35 insertions(+)

>  create mode 100644 meta/recipes-connectivity/bluez5/bluez5/cve-2017-

> 1000250.patch

>

> diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc

> b/meta/recipes-connectivity/bluez5/bluez5.inc

> index ecefb7b593e..3421c382063 100644

> --- a/meta/recipes-connectivity/bluez5/bluez5.inc

> +++ b/meta/recipes-connectivity/bluez5/bluez5.inc

> @@ -23,6 +23,7 @@ SRC_URI = "\

>      file://run-ptest \

>      ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '',

> 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch',

> d)} \

>      file://0001-tests-add-a-target-for-building-tests-without-runnin.patch

> \

> +    file://cve-2017-1000250.patch \

>  "

>  S = "${WORKDIR}/bluez-${PV}"

>

> diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

> b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

> new file mode 100644

> index 00000000000..9fac961bcf6

> --- /dev/null

> +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

> @@ -0,0 +1,34 @@

> +All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable

> to an

> +information disclosure vulnerability which allows remote attackers to

> obtain

> +sensitive information from the bluetoothd process memory. This

> vulnerability

> +lies in the processing of SDP search attribute requests.

> +

> +CVE: CVE-2017-1000250

> +Upstream-Status: Backport

> +Signed-off-by: Ross Burton <ross.burton@intel.com>

> +

> +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001

> +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

> +Date: Wed, 13 Sep 2017 10:01:40 +0300

> +Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req

> function

> +

> +Check if there is enough data to continue otherwise return an error.

> +---

> + src/sdpd-request.c | 2 +-

> + 1 file changed, 1 insertion(+), 1 deletion(-)

> +

> +diff --git a/src/sdpd-request.c b/src/sdpd-request.c

> +index 1eefdce..318d044 100644

> +--- a/src/sdpd-request.c

> ++++ b/src/sdpd-request.c

> +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req,

> sdp_buf_t *buf)

> +       } else {

> +               /* continuation State exists -> get from cache */

> +               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);

> +-              if (pCache) {

> ++              if (pCache && cstate->cStateValue.maxBytesSent <

> pCache->data_size) {

> +                       uint16_t sent = MIN(max, pCache->data_size -

> cstate->cStateValue.maxBytesSent);

> +                       pResponse = pCache->data;

> +                       memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent,

> sent);

> +--

> +cgit v1.1

> --

> 2.11.0

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

>




-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end"
<div dir="ltr">.. and if anyone notices, there&#39;s a kernel part to this CVE as well.<div><br></div><div>I&#39;ve applied to fix to all the active linux-yocto kernels, and the change will be part</div><div>of my consolidated pull request that comes out later today.</div><div><br></div><div>Cheers,</div><div><br></div><div>Bruce<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 14, 2017 at 8:27 AM, Ross Burton <span dir="ltr">&lt;<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an<br>
information disclosure vulnerability which allows remote attackers to obtain<br>
sensitive information from the bluetoothd process memory. This vulnerability<br>
lies in the processing of SDP search attribute requests.<br>
<br>
Signed-off-by: Ross Burton &lt;<a href="mailto:ross.burton@intel.com">ross.burton@intel.com</a>&gt;<br>

---<br>
 meta/recipes-connectivity/<wbr>bluez5/bluez5.inc        |  1 +<br>
 .../bluez5/bluez5/cve-2017-<wbr>1000250.patch           | 34 ++++++++++++++++++++++<br>
 2 files changed, 35 insertions(+)<br>
 create mode 100644 meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
<br>
diff --git a/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc b/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
index ecefb7b593e..3421c382063 100644<br>
--- a/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
+++ b/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
@@ -23,6 +23,7 @@ SRC_URI = &quot;\<br>
     file://run-ptest \<br>
     ${@bb.utils.contains(&#39;DISTRO_<wbr>FEATURES&#39;, &#39;systemd&#39;, &#39;&#39;, &#39;file://0001-Allow-using-<wbr>obexd-without-systemd-in-the-<wbr>user-sessio.patch&#39;, d)} \<br>
     file://0001-tests-add-a-<wbr>target-for-building-tests-<wbr>without-runnin.patch \<br>
+    file://cve-2017-1000250.patch \<br>
 &quot;<br>
 S = &quot;${WORKDIR}/bluez-${PV}&quot;<br>
<br>
diff --git a/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch b/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
new file mode 100644<br>
index 00000000000..9fac961bcf6<br>
--- /dev/null<br>
+++ b/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
@@ -0,0 +1,34 @@<br>
+All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an<br>
+information disclosure vulnerability which allows remote attackers to obtain<br>
+sensitive information from the bluetoothd process memory. This vulnerability<br>
+lies in the processing of SDP search attribute requests.<br>
+<br>
+CVE: CVE-2017-1000250<br>
+Upstream-Status: Backport<br>
+Signed-off-by: Ross Burton &lt;<a href="mailto:ross.burton@intel.com">ross.burton@intel.com</a>&gt;<br>
+<br>
+From 9e009647b14e810e06626dde7f1bb9<wbr>ea3c375d09 Mon Sep 17 00:00:00 2001<br>
+From: Luiz Augusto von Dentz &lt;<a href="mailto:luiz.von.dentz@intel.com">luiz.von.dentz@intel.com</a>&gt;<br>
+Date: Wed, 13 Sep 2017 10:01:40 +0300<br>
+Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function<br>
+<br>
+Check if there is enough data to continue otherwise return an error.<br>
+---<br>
+ src/sdpd-request.c | 2 +-<br>
+ 1 file changed, 1 insertion(+), 1 deletion(-)<br>
+<br>
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c<br>
+index 1eefdce..318d044 100644<br>
+--- a/src/sdpd-request.c<br>
++++ b/src/sdpd-request.c<br>
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_<wbr>req_t *req, sdp_buf_t *buf)<br>
+       } else {<br>
+               /* continuation State exists -&gt; get from cache */<br>
+               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);<br>
+-              if (pCache) {<br>
++              if (pCache &amp;&amp; cstate-&gt;cStateValue.<wbr>maxBytesSent &lt; pCache-&gt;data_size) {<br>
+                       uint16_t sent = MIN(max, pCache-&gt;data_size - cstate-&gt;cStateValue.<wbr>maxBytesSent);<br>
+                       pResponse = pCache-&gt;data;<br>
+                       memcpy(buf-&gt;data, pResponse + cstate-&gt;cStateValue.<wbr>maxBytesSent, sent);<br>
+--<br>
+cgit v1.1<br>
<span class="HOEnZb"><font color="#888888">--<br>
2.11.0<br>
<br>
--<br>
______________________________<wbr>_________________<br>
Openembedded-core mailing list<br>
<a href="mailto:Openembedded-core@lists.openembedded.org">Openembedded-core@lists.<wbr>openembedded.org</a><br>
<a href="http://lists.openembedded.org/mailman/listinfo/openembedded-core" rel="noreferrer" target="_blank">http://lists.openembedded.org/<wbr>mailman/listinfo/openembedded-<wbr>core</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">&quot;Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end&quot;</div>
</div></div></div>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
akuster808 Sept. 14, 2017, 7:26 p.m. | #2
Bruce,


On 09/14/2017 06:13 AM, Bruce Ashfield wrote:
> .. and if anyone notices, there's a kernel part to this CVE as well.

>

> I've applied to fix to all the active linux-yocto kernels, and the 

> change will be part

> of my consolidated pull request that comes out later today.


thanks. I will merge with pyro and morty when they hit master.

- armin
>

> Cheers,

>

> Bruce

>

> On Thu, Sep 14, 2017 at 8:27 AM, Ross Burton <ross.burton@intel.com 

> <mailto:ross.burton@intel.com>> wrote:

>

>     All versions of the SDP server in BlueZ 5.46 and earlier are

>     vulnerable to an

>     information disclosure vulnerability which allows remote attackers

>     to obtain

>     sensitive information from the bluetoothd process memory. This

>     vulnerability

>     lies in the processing of SDP search attribute requests.

>

>     Signed-off-by: Ross Burton <ross.burton@intel.com

>     <mailto:ross.burton@intel.com>>

>     ---

>      meta/recipes-connectivity/bluez5/bluez5.inc |  1 +

>      .../bluez5/bluez5/cve-2017-1000250.patch  | 34 ++++++++++++++++++++++

>      2 files changed, 35 insertions(+)

>      create mode 100644

>     meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

>

>     diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc

>     b/meta/recipes-connectivity/bluez5/bluez5.inc

>     index ecefb7b593e..3421c382063 100644

>     --- a/meta/recipes-connectivity/bluez5/bluez5.inc

>     +++ b/meta/recipes-connectivity/bluez5/bluez5.inc

>     @@ -23,6 +23,7 @@ SRC_URI = "\

>          file://run-ptest \

>          ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '',

>     'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch',

>     d)} \

>        

>      file://0001-tests-add-a-target-for-building-tests-without-runnin.patch

>     \

>     +    file://cve-2017-1000250.patch \

>      "

>      S = "${WORKDIR}/bluez-${PV}"

>

>     diff --git

>     a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

>     b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

>     new file mode 100644

>     index 00000000000..9fac961bcf6

>     --- /dev/null

>     +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

>     @@ -0,0 +1,34 @@

>     +All versions of the SDP server in BlueZ 5.46 and earlier are

>     vulnerable to an

>     +information disclosure vulnerability which allows remote

>     attackers to obtain

>     +sensitive information from the bluetoothd process memory. This

>     vulnerability

>     +lies in the processing of SDP search attribute requests.

>     +

>     +CVE: CVE-2017-1000250

>     +Upstream-Status: Backport

>     +Signed-off-by: Ross Burton <ross.burton@intel.com

>     <mailto:ross.burton@intel.com>>

>     +

>     +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00

>     2001

>     +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com

>     <mailto:luiz.von.dentz@intel.com>>

>     +Date: Wed, 13 Sep 2017 10:01:40 +0300

>     +Subject: sdp: Fix Out-of-bounds heap read in

>     service_search_attr_req function

>     +

>     +Check if there is enough data to continue otherwise return an error.

>     +---

>     + src/sdpd-request.c | 2 +-

>     + 1 file changed, 1 insertion(+), 1 deletion(-)

>     +

>     +diff --git a/src/sdpd-request.c b/src/sdpd-request.c

>     +index 1eefdce..318d044 100644

>     +--- a/src/sdpd-request.c

>     ++++ b/src/sdpd-request.c

>     +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t

>     *req, sdp_buf_t *buf)

>     +       } else {

>     +               /* continuation State exists -> get from cache */

>     +               sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);

>     +-              if (pCache) {

>     ++              if (pCache && cstate->cStateValue.maxBytesSent <

>     pCache->data_size) {

>     +                       uint16_t sent = MIN(max, pCache->data_size

>     - cstate->cStateValue.maxBytesSent);

>     +                       pResponse = pCache->data;

>     +                       memcpy(buf->data, pResponse +

>     cstate->cStateValue.maxBytesSent, sent);

>     +--

>     +cgit v1.1

>     --

>     2.11.0

>

>     --

>     _______________________________________________

>     Openembedded-core mailing list

>     Openembedded-core@lists.openembedded.org

>     <mailto:Openembedded-core@lists.openembedded.org>

>     http://lists.openembedded.org/mailman/listinfo/openembedded-core

>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>

>

>

>

>

> -- 

> "Thou shalt not follow the NULL pointer, for chaos and madness await 

> thee at its end"

>

>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Bruce,<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 09/14/2017 06:13 AM, Bruce Ashfield
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CADkTA4Mn14dpJTV65T90dqN3h8cQ_tDiq7dRxV1SxJySCxsazQ@mail.gmail.com">
      <div dir="ltr">.. and if anyone notices, there's a kernel part to
        this CVE as well.
        <div><br>
        </div>
        <div>I've applied to fix to all the active linux-yocto kernels,
          and the change will be part</div>
        <div>of my consolidated pull request that comes out later today.</div>
      </div>
    </blockquote>
    <br>
    thanks. I will merge with pyro and morty when they hit master.<br>
    <br>
    - armin<br>
    <blockquote type="cite"
cite="mid:CADkTA4Mn14dpJTV65T90dqN3h8cQ_tDiq7dRxV1SxJySCxsazQ@mail.gmail.com">
      <div dir="ltr">
        <div><br>
        </div>
        <div>Cheers,</div>
        <div><br>
        </div>
        <div>Bruce<br>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Thu, Sep 14, 2017 at 8:27 AM,
              Ross Burton <span dir="ltr">&lt;<a
                  href="mailto:ross.burton@intel.com" target="_blank"
                  moz-do-not-send="true">ross.burton@intel.com</a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">All
                versions of the SDP server in BlueZ 5.46 and earlier are
                vulnerable to an<br>
                information disclosure vulnerability which allows remote
                attackers to obtain<br>
                sensitive information from the bluetoothd process
                memory. This vulnerability<br>
                lies in the processing of SDP search attribute requests.<br>
                <br>
                Signed-off-by: Ross Burton &lt;<a

                  href="mailto:ross.burton@intel.com"
                  moz-do-not-send="true">ross.burton@intel.com</a>&gt;<br>
                ---<br>
                 meta/recipes-connectivity/<wbr>bluez5/bluez5.inc       
                |  1 +<br>
                 .../bluez5/bluez5/cve-2017-<wbr>1000250.patch         
                 | 34 ++++++++++++++++++++++<br>
                 2 files changed, 35 insertions(+)<br>
                 create mode 100644 meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
                <br>
                diff --git a/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc
                b/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
                index ecefb7b593e..3421c382063 100644<br>
                --- a/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
                +++ b/meta/recipes-connectivity/<wbr>bluez5/bluez5.inc<br>
                @@ -23,6 +23,7 @@ SRC_URI = "\<br>
                     <a class="moz-txt-link-freetext" href="file://run-ptest">file://run-ptest</a> \<br>
                     ${@bb.utils.contains('DISTRO_<wbr>FEATURES',
                'systemd', '', '<a class="moz-txt-link-freetext" href="file://0001-Allow-using">file://0001-Allow-using</a>-<wbr>obexd-without-systemd-in-the-<wbr>user-sessio.patch',
                d)} \<br>
                     <a class="moz-txt-link-freetext" href="file://0001-tests-add-a">file://0001-tests-add-a</a>-<wbr>target-for-building-tests-<wbr>without-runnin.patch
                \<br>
                +    <a class="moz-txt-link-freetext" href="file://cve-2017-1000250.patch">file://cve-2017-1000250.patch</a> \<br>
                 "<br>
                 S = "${WORKDIR}/bluez-${PV}"<br>
                <br>
                diff --git a/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch
                b/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
                new file mode 100644<br>
                index 00000000000..9fac961bcf6<br>
                --- /dev/null<br>
                +++ b/meta/recipes-connectivity/<wbr>bluez5/bluez5/cve-2017-<wbr>1000250.patch<br>
                @@ -0,0 +1,34 @@<br>
                +All versions of the SDP server in BlueZ 5.46 and
                earlier are vulnerable to an<br>
                +information disclosure vulnerability which allows
                remote attackers to obtain<br>
                +sensitive information from the bluetoothd process
                memory. This vulnerability<br>
                +lies in the processing of SDP search attribute
                requests.<br>
                +<br>
                +CVE: CVE-2017-1000250<br>
                +Upstream-Status: Backport<br>
                +Signed-off-by: Ross Burton &lt;<a
                  href="mailto:ross.burton@intel.com"
                  moz-do-not-send="true">ross.burton@intel.com</a>&gt;<br>
                +<br>
                +From 9e009647b14e810e06626dde7f1bb9<wbr>ea3c375d09 Mon
                Sep 17 00:00:00 2001<br>
                +From: Luiz Augusto von Dentz &lt;<a
                  href="mailto:luiz.von.dentz@intel.com"
                  moz-do-not-send="true">luiz.von.dentz@intel.com</a>&gt;<br>
                +Date: Wed, 13 Sep 2017 10:01:40 +0300<br>
                +Subject: sdp: Fix Out-of-bounds heap read in
                service_search_attr_req function<br>
                +<br>
                +Check if there is enough data to continue otherwise
                return an error.<br>
                +---<br>
                + src/sdpd-request.c | 2 +-<br>
                + 1 file changed, 1 insertion(+), 1 deletion(-)<br>
                +<br>
                +diff --git a/src/sdpd-request.c b/src/sdpd-request.c<br>
                +index 1eefdce..318d044 100644<br>
                +--- a/src/sdpd-request.c<br>
                ++++ b/src/sdpd-request.c<br>
                +@@ -917,7 +917,7 @@ static int
                service_search_attr_req(sdp_<wbr>req_t *req, sdp_buf_t
                *buf)<br>
                +       } else {<br>
                +               /* continuation State exists -&gt; get
                from cache */<br>
                +               sdp_buf_t *pCache =
                sdp_get_cached_rsp(cstate);<br>
                +-              if (pCache) {<br>
                ++              if (pCache &amp;&amp;
                cstate-&gt;cStateValue.<wbr>maxBytesSent &lt;
                pCache-&gt;data_size) {<br>
                +                       uint16_t sent = MIN(max,
                pCache-&gt;data_size - cstate-&gt;cStateValue.<wbr>maxBytesSent);<br>
                +                       pResponse = pCache-&gt;data;<br>
                +                       memcpy(buf-&gt;data, pResponse +
                cstate-&gt;cStateValue.<wbr>maxBytesSent, sent);<br>
                +--<br>
                +cgit v1.1<br>
                <span class="HOEnZb"><font color="#888888">--<br>
                    2.11.0<br>
                    <br>
                    --<br>
                    ______________________________<wbr>_________________<br>
                    Openembedded-core mailing list<br>
                    <a
                      href="mailto:Openembedded-core@lists.openembedded.org"
                      moz-do-not-send="true">Openembedded-core@lists.<wbr>openembedded.org</a><br>
                    <a
                      href="http://lists.openembedded.org/mailman/listinfo/openembedded-core"
                      rel="noreferrer" target="_blank"
                      moz-do-not-send="true">http://lists.openembedded.org/<wbr>mailman/listinfo/openembedded-<wbr>core</a><br>
                  </font></span></blockquote>
            </div>
            <br>
            <br clear="all">
            <div><br>
            </div>
            -- <br>
            <div class="gmail_signature"
              data-smartmail="gmail_signature">"Thou shalt not follow
              the NULL pointer, for chaos and madness await thee at its
              end"</div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
  </body>
</html>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
akuster808 Sept. 20, 2017, 7:30 p.m. | #3
On 09/14/2017 05:27 AM, Ross Burton wrote:
> All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an

> information disclosure vulnerability which allows remote attackers to obtain

> sensitive information from the bluetoothd process memory. This vulnerability

> lies in the processing of SDP search attribute requests.


merged to stagging.
thanks
- armin
>

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/bluez5/bluez5.inc        |  1 +

>  .../bluez5/bluez5/cve-2017-1000250.patch           | 34 ++++++++++++++++++++++

>  2 files changed, 35 insertions(+)

>  create mode 100644 meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

>

> diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc

> index ecefb7b593e..3421c382063 100644

> --- a/meta/recipes-connectivity/bluez5/bluez5.inc

> +++ b/meta/recipes-connectivity/bluez5/bluez5.inc

> @@ -23,6 +23,7 @@ SRC_URI = "\

>      file://run-ptest \

>      ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \

>      file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \

> +    file://cve-2017-1000250.patch \

>  "

>  S = "${WORKDIR}/bluez-${PV}"

>  

> diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

> new file mode 100644

> index 00000000000..9fac961bcf6

> --- /dev/null

> +++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch

> @@ -0,0 +1,34 @@

> +All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an

> +information disclosure vulnerability which allows remote attackers to obtain

> +sensitive information from the bluetoothd process memory. This vulnerability

> +lies in the processing of SDP search attribute requests.

> +

> +CVE: CVE-2017-1000250

> +Upstream-Status: Backport

> +Signed-off-by: Ross Burton <ross.burton@intel.com>

> +

> +From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001

> +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

> +Date: Wed, 13 Sep 2017 10:01:40 +0300

> +Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function

> +

> +Check if there is enough data to continue otherwise return an error.

> +---

> + src/sdpd-request.c | 2 +-

> + 1 file changed, 1 insertion(+), 1 deletion(-)

> +

> +diff --git a/src/sdpd-request.c b/src/sdpd-request.c

> +index 1eefdce..318d044 100644

> +--- a/src/sdpd-request.c

> ++++ b/src/sdpd-request.c

> +@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)

> + 	} else {

> + 		/* continuation State exists -> get from cache */

> + 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);

> +-		if (pCache) {

> ++		if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {

> + 			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);

> + 			pResponse = pCache->data;

> + 			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);

> +-- 

> +cgit v1.1


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Javier Viguera Oct. 6, 2017, 10:31 a.m. | #4
On 20/09/17 21:30, akuster808 wrote:
> 

> merged to stagging.

> thanks

> - armin


Hi Armin,

Do you plan to merge this into 'morty' soonish?

Some users of our BSP layer are asking about this vulnerability.

Thanks.

-- 
Javier Viguera
Software Engineer
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
akuster808 Oct. 6, 2017, 2:49 p.m. | #5
Javier,

On 10/06/2017 03:31 AM, Javier Viguera wrote:
> On 20/09/17 21:30, akuster808 wrote:

>>

>> merged to stagging.

>> thanks

>> - armin

>

> Hi Armin,

>

> Do you plan to merge this into 'morty' soonish?


I hope to send a merge request shortly. We have been having build issues
with the series I put together that included this fix causing some concern.
build looks good now.

apologies for the delay.

regards,
Armin

>

> Some users of our BSP layer are asking about this vulnerability.

>

> Thanks.

>



-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index ecefb7b593e..3421c382063 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -23,6 +23,7 @@  SRC_URI = "\
     file://run-ptest \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
     file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
+    file://cve-2017-1000250.patch \
 "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
new file mode 100644
index 00000000000..9fac961bcf6
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@ 
+All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
+information disclosure vulnerability which allows remote attackers to obtain
+sensitive information from the bluetoothd process memory. This vulnerability
+lies in the processing of SDP search attribute requests.
+
+CVE: CVE-2017-1000250
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
+
+Check if there is enough data to continue otherwise return an error.
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 	} else {
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-		if (pCache) {
++		if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ 			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ 			pResponse = pCache->data;
+ 			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-- 
+cgit v1.1