From patchwork Mon Mar 25 23:21:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 161140 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp4541503jan; Mon, 25 Mar 2019 16:21:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqxWT0kTMW1Z0njItTrImVEI63P+DHWP8n0vCxYspFWrn3neZ4HsNxJmRqKrIHjsRE1MHAvH X-Received: by 2002:a62:1795:: with SMTP id 143mr22815682pfx.104.1553556078094; Mon, 25 Mar 2019 16:21:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553556078; cv=none; d=google.com; s=arc-20160816; b=hdYRL70dCQ5ESeDcSTZ6tXIBhclpTCuiprkxI3DyvHRNzoiE5D4XrWKh2MtA0n8DmS F5DQakRugNRqG2xbaigjJpKsQuLMg+iAcRZ1YnsGNGcg884loCzHr+FcwhvNhK5aCKqz 4S4vbGnObltekzcrRAwvEPUvYC8cmNHP/UOZr+MbRnvqMqAdTHqpf2cLxF5k6coq2nlx 0dHPN+i2oUMuVz8CQM4TO2qkDsc9HvPGzsU8Cy4+S21tmmRqxPbeZlv9YQ25g7vN5JrT NqbbujFbBNbBIRNbxbVhtXqhU4EokMz1hULhMhM2nAQ8uPDk6h704ZNI2iX2rCFgEKhY YL5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=H3MFBUunBWbPDX8Tn9X/R1B88VcDA2wpaJ+LvXFhWMo=; b=W4mIQ/1PV1zztzdlMQDBXX1eQtMjwHZHK+xqxcNDk3HLUNlDF/oE6a3EnXsybpHJ3+ AfvfVeFJhXZi1EVW+HDcgbB1sq1+BNrSZqijxFwOX7OP0JarUKttyzpipPVy1QBqL/Ck ySzgCiiDeHCJ8w8k25P2C6KnxG/dwfR4ortkxfB/hDFBJnulZIDc+bTo/5Fdjr6OxONK Rj0C0s2tapsXAzX/dVJBvAkqOvJib9Z5dI84q4o6MdQi09tbGyVBvzY2Ae/pv/dydwh7 8aBizO2xLldeG6YG8JolTHSL7JaCnu8p2gZE0npaV6xdCHovExuOJRcKtXgefl9fy2cX mOag== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=oZMyehHx; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i6si11373018pgj.329.2019.03.25.16.21.17; Mon, 25 Mar 2019 16:21:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=oZMyehHx; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 6B8D97D0FF; Mon, 25 Mar 2019 23:21:14 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mail.openembedded.org (Postfix) with ESMTP id 1BC147D0D1 for ; Mon, 25 Mar 2019 23:21:11 +0000 (UTC) Received: by mail-wm1-f44.google.com with SMTP id 4so10698198wmf.1 for ; Mon, 25 Mar 2019 16:21:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=eKeyc6IOqN3gFtT2ZcCaFlFKdQ5ICoXt0nUBlO4wcs4=; b=oZMyehHxGBYID1Kgs35GzMELrqf66fUa70BcE5NnGVljQXtCtWktI6S1g01PRP7183 QEkWESSlEBonML9Zj0p6J/5KOsdpbHIzZT5TxCkFyKclAZDEzLjLEdzMErufsvdfmiY+ d2pm7X3EYgFXfs6/bREkH6Y8xbWej3qlbi6wfFqwWeZkJQwkx5zkJogs2GX4gCIu9Ncf AwyNo8rjj7eZ8pwW2qmB0jwhs9tZOHbaHtm4YMuEd2kdiagTPNcVZZPLVFwvDxFLd5yZ UikddYb8ITZUeJkJyXM2jsvPd3vPSaM13ENH0f9LBnqhsT7aNixKkxp/zUfxsWALTrAN 7VeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=eKeyc6IOqN3gFtT2ZcCaFlFKdQ5ICoXt0nUBlO4wcs4=; b=M2OPdFJk1FmgTik++InjS8Rc/lJVV5mXpN44EBTKbkdRAYFMrNaQYOFQA9cJBvDLZY KEaWO3/ZJDf5elds3ztwW+WRLbd1de+85tmJXv1Ah/qBTebNZCGb00ChTyyQgqDE692m y2Y5RI1kWRRCPFm2w4/zthozaque6SIzRrmK/ZGm3IXYT44M3hFleWc9wzPI2VPaqN7+ JLSVJzBoyTLG+ghzq38RzWL7+ljVuchO/w7KWI9GIx8GBcxctR08nATDt+Yl1YwC6fMv /MeWKyggvrePN6FiWMdVcwVS8NopMMxna3Wz/THQkxXeo1XcHL+4MY+Cw91sXSPBhgmb TB+g== X-Gm-Message-State: APjAAAXOefogBc9nUdxlmvPNJg6IzpPkERVi2Xsm/sHWpiXxtTzxka3N Tebc+tKTS2x1aio4Wf+eLo09x/ZCuck= X-Received: by 2002:a1c:6042:: with SMTP id u63mr13046705wmb.92.1553556072093; Mon, 25 Mar 2019 16:21:12 -0700 (PDT) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id o2sm10795461wrs.89.2019.03.25.16.21.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 16:21:11 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Mon, 25 Mar 2019 23:21:07 +0000 Message-Id: <20190325232108.10002-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH 1/2] bluez5: fix CVE-2018-10910 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Fix this CVE (Bluetooth discoverability may be enabled with no agents to handle requests) by backporting a number of patches from upstream. Signed-off-by: Ross Burton --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2018-10910.patch | 705 +++++++++++++++++++++ 2 files changed, 706 insertions(+) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 6d62f524591..aaf2af975d0 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -53,6 +53,7 @@ SRC_URI = "\ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ file://0001-Makefile.am-Fix-a-race-issue-for-tools.patch \ + file://CVE-2018-10910.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch new file mode 100644 index 00000000000..b4b1846c45b --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch @@ -0,0 +1,705 @@ +A bug in Bluez may allow for the Bluetooth Discoverable state being set to on +when no Bluetooth agent is registered with the system. This situation could +lead to the unauthorized pairing of certain Bluetooth devices without any +form of authentication. + +CVE: CVE-2018-10910 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +Subject: [PATCH BlueZ 1/4] client: Add discoverable-timeout command +From: Luiz Augusto von Dentz +Date: 2018-07-25 10:20:32 +Message-ID: 20180725102035.19439-1-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This adds discoverable-timeout command which can be used to get/set +DiscoverableTimeout property: + +[bluetooth]# discoverable-timeout 180 +Changing discoverable-timeout 180 succeeded +--- + client/main.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/client/main.c b/client/main.c +index 87323d8f7..59820c6d9 100644 +--- a/client/main.c ++++ b/client/main.c +@@ -1061,6 +1061,47 @@ static void cmd_discoverable(int argc, char *argv[]) + return bt_shell_noninteractive_quit(EXIT_FAILURE); + } + ++static void cmd_discoverable_timeout(int argc, char *argv[]) ++{ ++ uint32_t value; ++ char *endptr = NULL; ++ char *str; ++ ++ if (argc < 2) { ++ DBusMessageIter iter; ++ ++ if (!g_dbus_proxy_get_property(default_ctrl->proxy, ++ "DiscoverableTimeout", &iter)) { ++ bt_shell_printf("Unable to get DiscoverableTimeout\n"); ++ return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } ++ ++ dbus_message_iter_get_basic(&iter, &value); ++ ++ bt_shell_printf("DiscoverableTimeout: %d seconds\n", value); ++ ++ return; ++ } ++ ++ value = strtol(argv[1], &endptr, 0); ++ if (!endptr || *endptr != '\0' || value > UINT32_MAX) { ++ bt_shell_printf("Invalid argument\n"); ++ return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } ++ ++ str = g_strdup_printf("discoverable-timeout %d", value); ++ ++ if (g_dbus_proxy_set_property_basic(default_ctrl->proxy, ++ "DiscoverableTimeout", ++ DBUS_TYPE_UINT32, &value, ++ generic_callback, str, g_free)) ++ return; ++ ++ g_free(str); ++ ++ return bt_shell_noninteractive_quit(EXIT_FAILURE); ++} ++ + static void cmd_agent(int argc, char *argv[]) + { + dbus_bool_t enable; +@@ -2549,6 +2590,8 @@ static const struct bt_shell_menu main_menu = { + { "discoverable", "", cmd_discoverable, + "Set controller discoverable mode", + NULL }, ++ { "discoverable-timeout", "[value]", cmd_discoverable_timeout, ++ "Set discoverable timeout", NULL }, + { "agent", "", cmd_agent, + "Enable/disable agent with given capability", + capability_generator}, +-- +2.17.1 + +Subject: [PATCH BlueZ 2/4] client: Make show command print DiscoverableTimeout +From: Luiz Augusto von Dentz +Date: 2018-07-25 10:20:33 +Message-ID: 20180725102035.19439-2-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +Controller XX:XX:XX:XX:XX:XX (public) + Name: Vudentz's T460s + Alias: Intel-1 + Class: 0x004c010c + Powered: yes + Discoverable: no + DiscoverableTimeout: 0x00000000 + Pairable: yes + UUID: Headset AG (00001112-0000-1000-8000-00805f9b34fb) + UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb) + UUID: A/V Remote Control (0000110e-0000-1000-8000-00805f9b34fb) + UUID: SIM Access (0000112d-0000-1000-8000-00805f9b34fb) + UUID: Generic Access Profile (00001800-0000-1000-8000-00805f9b34fb) + UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb) + UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb) + UUID: Audio Source (0000110a-0000-1000-8000-00805f9b34fb) + UUID: Audio Sink (0000110b-0000-1000-8000-00805f9b34fb) + UUID: Headset (00001108-0000-1000-8000-00805f9b34fb) + Modalias: usb:v1D6Bp0246d0532 + Discovering: no +--- + client/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/client/main.c b/client/main.c +index 59820c6d9..6f472d050 100644 +--- a/client/main.c ++++ b/client/main.c +@@ -877,6 +877,7 @@ static void cmd_show(int argc, char *argv[]) + print_property(proxy, "Class"); + print_property(proxy, "Powered"); + print_property(proxy, "Discoverable"); ++ print_property(proxy, "DiscoverableTimeout"); + print_property(proxy, "Pairable"); + print_uuids(proxy); + print_property(proxy, "Modalias"); +-- +2.17.1 +Subject: [PATCH BlueZ 3/4] adapter: Track pending settings +From: Luiz Augusto von Dentz +Date: 2018-07-25 10:20:34 +Message-ID: 20180725102035.19439-3-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This tracks settings being changed and in case the settings is already +pending considered it to be done. +--- + src/adapter.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index af340fd6e..20c20f9e9 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -196,6 +196,7 @@ struct btd_adapter { + char *name; /* controller device name */ + char *short_name; /* controller short name */ + uint32_t supported_settings; /* controller supported settings */ ++ uint32_t pending_settings; /* pending controller settings */ + uint32_t current_settings; /* current controller settings */ + + char *path; /* adapter object path */ +@@ -509,8 +510,10 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) + changed_mask = adapter->current_settings ^ settings; + + adapter->current_settings = settings; ++ adapter->pending_settings &= ~changed_mask; + + DBG("Changed settings: 0x%08x", changed_mask); ++ DBG("Pending settings: 0x%08x", adapter->pending_settings); + + if (changed_mask & MGMT_SETTING_POWERED) { + g_dbus_emit_property_changed(dbus_conn, adapter->path, +@@ -596,10 +599,31 @@ static bool set_mode(struct btd_adapter *adapter, uint16_t opcode, + uint8_t mode) + { + struct mgmt_mode cp; ++ uint32_t setting = 0; + + memset(&cp, 0, sizeof(cp)); + cp.val = mode; + ++ switch (mode) { ++ case MGMT_OP_SET_POWERED: ++ setting = MGMT_SETTING_POWERED; ++ break; ++ case MGMT_OP_SET_CONNECTABLE: ++ setting = MGMT_SETTING_CONNECTABLE; ++ break; ++ case MGMT_OP_SET_FAST_CONNECTABLE: ++ setting = MGMT_SETTING_FAST_CONNECTABLE; ++ break; ++ case MGMT_OP_SET_DISCOVERABLE: ++ setting = MGMT_SETTING_DISCOVERABLE; ++ break; ++ case MGMT_OP_SET_BONDABLE: ++ setting = MGMT_SETTING_DISCOVERABLE; ++ break; ++ } ++ ++ adapter->pending_settings |= setting; ++ + DBG("sending set mode command for index %u", adapter->dev_id); + + if (mgmt_send(adapter->mgmt, opcode, +@@ -2739,13 +2763,15 @@ static void property_set_mode(struct btd_adapter *adapter, uint32_t setting, + else + current_enable = FALSE; + +- if (enable == current_enable) { ++ if (enable == current_enable || adapter->pending_settings & setting) { + g_dbus_pending_property_success(id); + return; + } + + mode = (enable == TRUE) ? 0x01 : 0x00; + ++ adapter->pending_settings |= setting; ++ + switch (setting) { + case MGMT_SETTING_POWERED: + opcode = MGMT_OP_SET_POWERED; +@@ -2798,7 +2824,7 @@ static void property_set_mode(struct btd_adapter *adapter, uint32_t setting, + data->id = id; + + if (mgmt_send(adapter->mgmt, opcode, adapter->dev_id, len, param, +- property_set_mode_complete, data, g_free) > 0) ++ property_set_mode_complete, data, g_free) > 0) + return; + + g_free(data); +-- +2.17.1 +Subject: [PATCH BlueZ 4/4] adapter: Check pending when setting DiscoverableTimeout +From: Luiz Augusto von Dentz +Date: 2018-07-25 10:20:35 +Message-ID: 20180725102035.19439-4-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This makes DiscoverableTimeout check if discoverable is already pending +and don't attempt to set it once again which may cause discoverable to +be re-enabled when in fact the application just want to set the timeout +alone. +--- + src/adapter.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/adapter.c b/src/adapter.c +index 20c20f9e9..f92c897c7 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -2901,6 +2901,7 @@ static void property_set_discoverable_timeout( + GDBusPendingPropertySet id, void *user_data) + { + struct btd_adapter *adapter = user_data; ++ bool enabled; + dbus_uint32_t value; + + dbus_message_iter_get_basic(iter, &value); +@@ -2914,8 +2915,19 @@ static void property_set_discoverable_timeout( + g_dbus_emit_property_changed(dbus_conn, adapter->path, + ADAPTER_INTERFACE, "DiscoverableTimeout"); + ++ if (adapter->pending_settings & MGMT_SETTING_DISCOVERABLE) { ++ if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE) ++ enabled = false; ++ else ++ enabled = true; ++ } else { ++ if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE) ++ enabled = true; ++ else ++ enabled = false; ++ } + +- if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE) ++ if (enabled) + set_discoverable(adapter, 0x01, adapter->discoverable_timeout); + } + +-- +2.17.1 +Subject: [PATCH BlueZ 1/5] doc/adapter-api: Add Discoverable option to SetDiscoveryFilter +From: Luiz Augusto von Dentz +Date: 2018-07-26 14:17:19 +Message-ID: 20180726141723.20199-1-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This enables the client to set its discoverable setting while +discovering which is very typical situation as usually the setings +application would allow incoming pairing request while scanning, so +this would reduce the number of calls setting Discoverable and +DiscoverableTimeout and restoring after done with discovery. +--- + doc/adapter-api.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/doc/adapter-api.txt b/doc/adapter-api.txt +index d14d0ca50..4791af2c7 100644 +--- a/doc/adapter-api.txt ++++ b/doc/adapter-api.txt +@@ -113,6 +113,12 @@ Methods void StartDiscovery() + generated for either ManufacturerData and + ServiceData everytime they are discovered. + ++ bool Discoverable (Default: false) ++ ++ Make adapter discoverable while discovering, ++ if the adapter is already discoverable this ++ setting this filter won't do anything. ++ + When discovery filter is set, Device objects will be + created as new devices with matching criteria are + discovered regardless of they are connectable or +-- +2.17.1 +Subject: [PATCH BlueZ 2/5] adapter: Discovery filter discoverable +From: Luiz Augusto von Dentz +Date: 2018-07-26 14:17:20 +Message-ID: 20180726141723.20199-2-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This implements the discovery filter discoverable and tracks which +clients had enabled it and restores the settings when the last client +enabling it exits. +--- + src/adapter.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 54 insertions(+), 2 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index f92c897c7..bd9edddc6 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -157,6 +157,7 @@ struct discovery_filter { + int16_t rssi; + GSList *uuids; + bool duplicate; ++ bool discoverable; + }; + + struct watch_client { +@@ -214,6 +215,7 @@ struct btd_adapter { + + bool discovering; /* discovering property state */ + bool filtered_discovery; /* we are doing filtered discovery */ ++ bool filtered_discoverable; /* we are doing filtered discovery */ + bool no_scan_restart_delay; /* when this flag is set, restart scan + * without delay */ + uint8_t discovery_type; /* current active discovery type */ +@@ -1842,6 +1844,16 @@ static void discovery_free(void *user_data) + g_free(client); + } + ++static bool set_filtered_discoverable(struct btd_adapter *adapter, bool enable) ++{ ++ if (adapter->filtered_discoverable == enable) ++ return true; ++ ++ adapter->filtered_discoverable = enable; ++ ++ return set_discoverable(adapter, enable, 0); ++} ++ + static void discovery_remove(struct watch_client *client) + { + struct btd_adapter *adapter = client->adapter; +@@ -1854,6 +1866,22 @@ static void discovery_remove(struct watch_client *client) + adapter->discovery_list = g_slist_remove(adapter->discovery_list, + client); + ++ if (adapter->filtered_discoverable && ++ client->discovery_filter->discoverable) { ++ GSList *l; ++ ++ for (l = adapter->discovery_list; l; l = g_slist_next(l)) { ++ struct watch_client *client = l->data; ++ ++ if (client->discovery_filter->discoverable) ++ break; ++ } ++ ++ /* Disable filtered discoverable if there are no clients */ ++ if (!l) ++ set_filtered_discoverable(adapter, false); ++ } ++ + discovery_free(client); + + /* +@@ -2224,6 +2252,15 @@ static DBusMessage *start_discovery(DBusConnection *conn, + adapter->set_filter_list, client); + adapter->discovery_list = g_slist_prepend( + adapter->discovery_list, client); ++ ++ /* Reset discoverable filter if already set */ ++ if (adapter->current_settings & MGMT_OP_SET_DISCOVERABLE) ++ goto done; ++ ++ /* Set discoverable if filter requires and it*/ ++ if (client->discovery_filter->discoverable) ++ set_filtered_discoverable(adapter, true); ++ + goto done; + } + +@@ -2348,6 +2385,17 @@ static bool parse_duplicate_data(DBusMessageIter *value, + return true; + } + ++static bool parse_discoverable(DBusMessageIter *value, ++ struct discovery_filter *filter) ++{ ++ if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN) ++ return false; ++ ++ dbus_message_iter_get_basic(value, &filter->discoverable); ++ ++ return true; ++} ++ + struct filter_parser { + const char *name; + bool (*func)(DBusMessageIter *iter, struct discovery_filter *filter); +@@ -2357,6 +2405,7 @@ struct filter_parser { + { "Pathloss", parse_pathloss }, + { "Transport", parse_transport }, + { "DuplicateData", parse_duplicate_data }, ++ { "Discoverable", parse_discoverable }, + { } + }; + +@@ -2396,6 +2445,7 @@ static bool parse_discovery_filter_dict(struct btd_adapter *adapter, + (*filter)->rssi = DISTANCE_VAL_INVALID; + (*filter)->type = get_scan_type(adapter); + (*filter)->duplicate = false; ++ (*filter)->discoverable = false; + + dbus_message_iter_init(msg, &iter); + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY || +@@ -2441,8 +2491,10 @@ static bool parse_discovery_filter_dict(struct btd_adapter *adapter, + goto invalid_args; + + DBG("filtered discovery params: transport: %d rssi: %d pathloss: %d " +- " duplicate data: %s ", (*filter)->type, (*filter)->rssi, +- (*filter)->pathloss, (*filter)->duplicate ? "true" : "false"); ++ " duplicate data: %s discoverable %s", (*filter)->type, ++ (*filter)->rssi, (*filter)->pathloss, ++ (*filter)->duplicate ? "true" : "false", ++ (*filter)->discoverable ? "true" : "false"); + + return true; + +-- +2.17.1 +Subject: [PATCH BlueZ 3/5] client: Add scan.discoverable command +From: Luiz Augusto von Dentz +Date: 2018-07-26 14:17:21 +Message-ID: 20180726141723.20199-3-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This adds discoverable command to scan menu which can be used to set +if adapter should become discoverable while scanning: + +[bluetooth]# scan.discoverable on +[bluetooth]# scan on +SetDiscoveryFilter success +[CHG] Controller XX:XX:XX:XX:XX:XX Discoverable: yes +Discovery started +[CHG] Controller XX:XX:XX:XX:XX:XX Discovering: yes +[bluetooth]# scan off +Discovery stopped +[CHG] Controller XX:XX:XX:XX:XX:XX Discoverable: no +--- + client/main.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/client/main.c b/client/main.c +index 6f472d050..6e6f6d2fb 100644 +--- a/client/main.c ++++ b/client/main.c +@@ -1166,6 +1166,7 @@ static struct set_discovery_filter_args { + char **uuids; + size_t uuids_len; + dbus_bool_t duplicate; ++ dbus_bool_t discoverable; + bool set; + } filter = { + .rssi = DISTANCE_VAL_INVALID, +@@ -1205,6 +1206,11 @@ static void set_discovery_filter_setup(DBusMessageIter *iter, void *user_data) + DBUS_TYPE_BOOLEAN, + &args->duplicate); + ++ if (args->discoverable) ++ g_dbus_dict_append_entry(&dict, "Discoverable", ++ DBUS_TYPE_BOOLEAN, ++ &args->discoverable); ++ + dbus_message_iter_close_container(iter, &dict); + } + +@@ -1362,6 +1368,26 @@ static void cmd_scan_filter_duplicate_data(int argc, char *argv[]) + filter.set = false; + } + ++static void cmd_scan_filter_discoverable(int argc, char *argv[]) ++{ ++ if (argc < 2 || !strlen(argv[1])) { ++ bt_shell_printf("Discoverable: %s\n", ++ filter.discoverable ? "on" : "off"); ++ return bt_shell_noninteractive_quit(EXIT_SUCCESS); ++ } ++ ++ if (!strcmp(argv[1], "on")) ++ filter.discoverable = true; ++ else if (!strcmp(argv[1], "off")) ++ filter.discoverable = false; ++ else { ++ bt_shell_printf("Invalid option: %s\n", argv[1]); ++ return bt_shell_noninteractive_quit(EXIT_FAILURE); ++ } ++ ++ filter.set = false; ++} ++ + static void filter_clear_uuids(void) + { + g_strfreev(filter.uuids); +@@ -2510,6 +2536,9 @@ static const struct bt_shell_menu scan_menu = { + { "duplicate-data", "[on/off]", cmd_scan_filter_duplicate_data, + "Set/Get duplicate data filter", + NULL }, ++ { "discoverable", "[on/off]", cmd_scan_filter_discoverable, ++ "Set/Get discoverable filter", ++ NULL }, + { "clear", "[uuids/rssi/pathloss/transport/duplicate-data]", + cmd_scan_filter_clear, + "Clears discovery filter.", +-- +2.17.1 +Subject: [PATCH BlueZ 4/5] client: Add scan.clear discoverable +From: Luiz Augusto von Dentz +Date: 2018-07-26 14:17:22 +Message-ID: 20180726141723.20199-4-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +This implements scan.clear for discoverable filter. +--- + client/main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/client/main.c b/client/main.c +index 6e6f6d2fb..1a66a3ab4 100644 +--- a/client/main.c ++++ b/client/main.c +@@ -1416,6 +1416,11 @@ static void filter_clear_duplicate(void) + filter.duplicate = false; + } + ++static void filter_clear_discoverable(void) ++{ ++ filter.discoverable = false; ++} ++ + struct clear_entry { + const char *name; + void (*clear) (void); +@@ -1427,6 +1432,7 @@ static const struct clear_entry filter_clear[] = { + { "pathloss", filter_clear_pathloss }, + { "transport", filter_clear_transport }, + { "duplicate-data", filter_clear_duplicate }, ++ { "discoverable", filter_clear_discoverable }, + {} + }; + +@@ -2539,7 +2545,8 @@ static const struct bt_shell_menu scan_menu = { + { "discoverable", "[on/off]", cmd_scan_filter_discoverable, + "Set/Get discoverable filter", + NULL }, +- { "clear", "[uuids/rssi/pathloss/transport/duplicate-data]", ++ { "clear", ++ "[uuids/rssi/pathloss/transport/duplicate-data/discoverable]", + cmd_scan_filter_clear, + "Clears discovery filter.", + filter_clear_generator }, +-- +2.17.1 +Subject: [PATCH BlueZ 5/5] adapter: Fix not keeping discovery filters +From: Luiz Augusto von Dentz +Date: 2018-07-26 14:17:23 +Message-ID: 20180726141723.20199-5-luiz.dentz () gmail ! com +[Download RAW message or body] + +From: Luiz Augusto von Dentz + +If the discovery has been stopped and the client has set filters those +should be put back into filter list since the client may still be +interested in using them the next time it start a scanning. +--- + src/adapter.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/src/adapter.c b/src/adapter.c +index bd9edddc6..822bd3472 100644 +--- a/src/adapter.c ++++ b/src/adapter.c +@@ -1854,7 +1854,7 @@ static bool set_filtered_discoverable(struct btd_adapter *adapter, bool enable) + return set_discoverable(adapter, enable, 0); + } + +-static void discovery_remove(struct watch_client *client) ++static void discovery_remove(struct watch_client *client, bool exit) + { + struct btd_adapter *adapter = client->adapter; + +@@ -1882,7 +1882,11 @@ static void discovery_remove(struct watch_client *client) + set_filtered_discoverable(adapter, false); + } + +- discovery_free(client); ++ if (!exit && client->discovery_filter) ++ adapter->set_filter_list = g_slist_prepend( ++ adapter->set_filter_list, client); ++ else ++ discovery_free(client); + + /* + * If there are other client discoveries in progress, then leave +@@ -1911,8 +1915,11 @@ static void stop_discovery_complete(uint8_t status, uint16_t length, + goto done; + } + +- if (client->msg) ++ if (client->msg) { + g_dbus_send_reply(dbus_conn, client->msg, DBUS_TYPE_INVALID); ++ dbus_message_unref(client->msg); ++ client->msg = NULL; ++ } + + adapter->discovery_type = 0x00; + adapter->discovery_enable = 0x00; +@@ -1925,7 +1932,7 @@ static void stop_discovery_complete(uint8_t status, uint16_t length, + trigger_passive_scanning(adapter); + + done: +- discovery_remove(client); ++ discovery_remove(client, false); + } + + static int compare_sender(gconstpointer a, gconstpointer b) +@@ -2146,14 +2153,14 @@ static int update_discovery_filter(struct btd_adapter *adapter) + return -EINPROGRESS; + } + +-static int discovery_stop(struct watch_client *client) ++static int discovery_stop(struct watch_client *client, bool exit) + { + struct btd_adapter *adapter = client->adapter; + struct mgmt_cp_stop_discovery cp; + + /* Check if there are more client discovering */ + if (g_slist_next(adapter->discovery_list)) { +- discovery_remove(client); ++ discovery_remove(client, exit); + update_discovery_filter(adapter); + return 0; + } +@@ -2163,7 +2170,7 @@ static int discovery_stop(struct watch_client *client) + * and so it is enough to send out the signal and just return. + */ + if (adapter->discovery_enable == 0x00) { +- discovery_remove(client); ++ discovery_remove(client, exit); + adapter->discovering = false; + g_dbus_emit_property_changed(dbus_conn, adapter->path, + ADAPTER_INTERFACE, "Discovering"); +@@ -2188,7 +2195,7 @@ static void discovery_disconnect(DBusConnection *conn, void *user_data) + + DBG("owner %s", client->owner); + +- discovery_stop(client); ++ discovery_stop(client, true); + } + + /* +@@ -2586,7 +2593,7 @@ static DBusMessage *stop_discovery(DBusConnection *conn, + if (client->msg) + return btd_error_busy(msg); + +- err = discovery_stop(client); ++ err = discovery_stop(client, false); + switch (err) { + case 0: + return dbus_message_new_method_return(msg); +-- +2.17.1 From patchwork Mon Mar 25 23:21:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 161141 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp4541649jan; Mon, 25 Mar 2019 16:21:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqxZPEQq+w0tNVAKiPsu3iAq090ut7peMLlDEUTRmQRlxUCba3o1UVQeWnocjMcDY1FJ3PdH X-Received: by 2002:a63:c00c:: with SMTP id h12mr26120145pgg.423.1553556088976; Mon, 25 Mar 2019 16:21:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553556088; cv=none; d=google.com; s=arc-20160816; b=WXTfx4xku8NQcbapaV3vo9LOpKW8E8Zw24f9y4uEKSxoTU/zWOOKVEi710R+0XEvS0 9c5eBaZ+Hgh1dAM+LYarEimGZluqyzy5buxspkSYwN8gc10VGeFb6wS2oy2e9SqKsbYQ 41beY4fzs288MzVuPk+cM4t0gMQdwpGz5uw3Ceajnl+ccfLcEZaWErIVJezrMrPMYVfe kghcABBooa1socHOxP1CUWlbf4eNUBgtynxf18Nvir3o+9wP9jNN/r44CfvAF7NngFLJ gT4vgYo+L2RobXsP3hREbH3p0M+RYqMBTBzarFtWcfNkajkQS/UKTjFLhfDWqj6qmPnZ HGug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=yA8nT0toUeRFqVcm3J5xTNbbHasSRkYnByPNyZaOgVE=; b=QZsd6SUS5+qzgK4W3OnS5rW/3KnDw0pFddPhh1cJHi5rQ256PUbqRIG3PtzGD80a+C bJA6u1ciJFiLh22IH+9tE+9SxpPPlzDV8lh/qFTmtpd0PeVD0QltRSI0WaDJL4wFlDcu ST9UghDF0s4vw+eLza7fyetx8/UPg4xr13vgQKi1gEkg3Oaz2T6+oveMlW2ACoPiZt6u Bxq1HxpPeNGUbV5ywDRJygNd3w6AAaQnHqVOT5JxmKwohO3z+z81VFsv0nQcWf8+HYxB siCwdc9rlSU26dZjcgH64HV8Cvl71V01eqE6w2qaYejcV2Xm636xQYKR5N8C0JknnmG3 1DwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sz2XBfm7; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id b20si15049147pls.193.2019.03.25.16.21.28; Mon, 25 Mar 2019 16:21:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sz2XBfm7; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id E9B5A7D110; Mon, 25 Mar 2019 23:21:25 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mail.openembedded.org (Postfix) with ESMTP id AE12C7D0D1 for ; Mon, 25 Mar 2019 23:21:12 +0000 (UTC) Received: by mail-wr1-f48.google.com with SMTP id y13so12188397wrd.3 for ; Mon, 25 Mar 2019 16:21:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=2qSHE/aYFHJrz634e55LJG6G/SV51x7I0H7EB9OYyYg=; b=sz2XBfm7mbIEKwM/ZJLuldOh9BC0Rbt8FJxQ90F0PtX5tGE8/lE4rc9ew9e/6pXFK7 q0C2M64RIq4M12Vq08d34D3JlUuHmuQ5qIwVljoBC0nqstsx+rBA/ViNMgV175Ng7ehf 7HR3TG87vIXa9+OFVmg3PvXeKLg2P0OsMpcYOgT4BjEPwWHI4XiL9k5vUO+Mj+9CNXD6 2c9RYbQe+Z+Q0iV5Yt9qRJCRVXySi1l+mSdCURxiZun8+OdGbgfO598g+/6InGB+TQ9L 51n9c6g/UDmJf3GXCeINQmDEAPRoLga7NGtwCuAs3crxI1wPC0FWIeA0DSyKLyW2aOUA o8/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=2qSHE/aYFHJrz634e55LJG6G/SV51x7I0H7EB9OYyYg=; b=m7AFhzN1x5qdkZITejXyOsjX24vMfLV1pprNAaAxBQPJJbylZLRuYqXYnTyzN1+Epn stWRLmB4v3kuARZq6+6vmouhlZmh8UXfimBizmM5JzM7GCKxpPRYY/QL+Sd+sUSqwvaV tp1X+WugqSIbGLfnckwL0pnZcslnAnQuQR3FhpkTh6p2akqcCBPkn91eCk7Gd2tU+BFG QPu0eXbLVzJmD5ht+jP57QHhxektfusdHqCS/MviioX5tC6TES2QdXA40n07usB9M5ew Vlj24kUi1MKOzyH/Z7I7GrurxLDgH1o50XWk23fPzVH7eo30Ioy6PBSgSMANF2c6ztz/ B06g== X-Gm-Message-State: APjAAAVwxN30ngB8vnn5S3WQauV3tOtmLveKipc9uQ2A9euZKbCvmdGI y60Lh4fLxFsWqEgfn3//xRRRLi5Ia2s= X-Received: by 2002:a05:6000:1292:: with SMTP id f18mr17828738wrx.115.1553556073269; Mon, 25 Mar 2019 16:21:13 -0700 (PDT) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id o2sm10795461wrs.89.2019.03.25.16.21.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 16:21:12 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Mon, 25 Mar 2019 23:21:08 +0000 Message-Id: <20190325232108.10002-2-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190325232108.10002-1-ross.burton@intel.com> References: <20190325232108.10002-1-ross.burton@intel.com> Subject: [OE-core] [PATCH 2/2] libsndfile1: fix CVE-2019-3832 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org The previous fix for CVE-2018-19758 wasn't complete, so backport another patch to solve it properly. Signed-off-by: Ross Burton --- .../libsndfile/libsndfile1/CVE-2019-3832.patch | 37 ++++++++++++++++++++++ .../libsndfile/libsndfile1_1.0.28.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch new file mode 100644 index 00000000000..ab37211399f --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch @@ -0,0 +1,37 @@ +From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort +Date: Tue, 5 Mar 2019 11:27:17 +0100 +Subject: [PATCH] wav_write_header: don't read past the array end + +CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder. + +CVE: CVE-2019-3832 +Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e] +Signed-off-by: Ross Burton + +If loop_count is bigger than the array, truncate it to the array +length (and not to 32k). + +CVE-2019-3832 + +--- + src/wav.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/wav.c b/src/wav.c +index daae3cc..8851549 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + +- /* Loop count is signed 16 bit number so we limit it range to something sensible. */ +- psf->instrument->loop_count &= 0x7fff ; ++ /* Make sure we don't read past the loops array end. */ ++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index eb2c719d8da..77393db8470 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -16,6 +16,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2018-19432.patch \ file://CVE-2017-12562.patch \ file://CVE-2018-19758.patch \ + file://CVE-2019-3832.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"