From 268965a3ff29e5a92a60d2dcf398d9b20a551240 Mon Sep 17 00:00:00 2001 From: Don Zickus Date: Sep 12 2017 14:22:25 +0000 Subject: sdpd heap fixes Resolves: rhbz#1490911 --- diff --git a/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch b/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch new file mode 100644 index 0000000..cb71522 --- /dev/null +++ b/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch @@ -0,0 +1,55 @@ +From 6821472c7509c54c5b1ef4744af8f6eab9be4aa7 Mon Sep 17 00:00:00 2001 +From: Fedora Bluez maintainers +Date: Mon, 11 Sep 2017 11:19:18 -0400 +Subject: [PATCH] Out of bounds heap read in service_search_attr_req function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a long response is returned to a specific search attribute request, a +continuation state is returned to allow reception of additional fragments, via +additional requests that contain the last continuation state sent. However, the +incoming “cstate” that requests additional fragments isn’t validated properly, +and thus an out-of-bounds read of the response buffer (pResponse) can be +achieved, leading to information disclosure of the heap. +--- + src/sdpd-request.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/sdpd-request.c b/src/sdpd-request.c +index 1eefdce..ddeea7f 100644 +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); + if (pCache) { +- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); +- pResponse = pCache->data; +- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +- buf->data_size += sent; +- cstate->cStateValue.maxBytesSent += sent; +- if (cstate->cStateValue.maxBytesSent == pCache->data_size) +- cstate_size = sdp_set_cstate_pdu(buf, NULL); +- else +- cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { ++ status = SDP_INVALID_CSTATE; ++ SDPDBG("Got bad cstate with invalid size"); ++ } else { ++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); ++ pResponse = pCache->data; ++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); ++ buf->data_size += sent; ++ cstate->cStateValue.maxBytesSent += sent; ++ if (cstate->cStateValue.maxBytesSent == pCache->data_size) ++ cstate_size = sdp_set_cstate_pdu(buf, NULL); ++ else ++ cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ } + } else { + status = SDP_INVALID_CSTATE; + SDPDBG("Non-null continuation state, but null cache buffer"); +-- +2.13.5 + diff --git a/bluez.spec b/bluez.spec index 47ecc54..5cb233b 100644 --- a/bluez.spec +++ b/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities Version: 5.46 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ URL: http://www.bluez.org/ @@ -39,6 +39,8 @@ Patch107: 0007-plugins-sixaxis-Rename-sixaxis-specific-functions.patch Patch108: 0008-plugins-sixaxis-Add-support-for-DualShock-4-PS4-cabl.patch Patch109: 0009-plugins-sixaxis-Cancel-cable-pairing-if-unplugged.patch +Patch110: 0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch + BuildRequires: git-core BuildRequires: dbus-devel >= 1.6 BuildRequires: glib2-devel @@ -265,6 +267,10 @@ install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/ %{_userunitdir}/obex.service %changelog +* Mon Sep 11 2017 Don Zickus - 5.46-6 +- sdpd heap fixes +Resolves: rhbz#1490911 + * Thu Sep 07 2017 Hans de Goede - 5.46-5 - Add scripts to automatically btattach serial-port / uart connected Broadcom HCIs found on some Atom based x86 hardware