Source:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
MR: 122138
Type: Security Fix
Disposition: Backport from
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
ChangeID: 680cf2af29d34d7925523e413b40008a71b0a26c
Description:
avrcp: Fix not checking if params_len match number of received bytes
This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
Signed-off-by: Vivek Kumbhar <[email protected]>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/0001-CVE-2022-39177.patch | 34 +++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644
meta/recipes-connectivity/bluez5/bluez5/0001-CVE-2022-39177.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc
b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..f7d5f57c75 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,7 @@ SRC_URI =
"${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '',
'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
+ file://0001-CVE-2022-39177.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-CVE-2022-39177.patch
b/meta/recipes-connectivity/bluez5/bluez5/0001-CVE-2022-39177.patch
new file mode 100644
index 0000000000..54709e0cb1
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-CVE-2022-39177.patch
@@ -0,0 +1,34 @@
+From e5c8613fe171f0dc3aa812270bb15063aaa73d45 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <[email protected]>
+Date: Sun, 9 Oct 2022 21:06:51 +0530
+Subject: [PATCH] CVE-2022-39177
+
+Upstream-Status:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
+CVE: CVE-2022-39177
+Signed-off-by: Vivek Kumbhar <[email protected]>
+---
+ profiles/audio/avrcp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index d9471c0..0233d53 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn,
uint8_t transaction,
+ goto err_metadata;
+ }
+
++ operands += sizeof(*pdu);
++ operand_count -= sizeof(*pdu);
++
++ if (pdu->params_len != operand_count) {
++ DBG("AVRCP PDU parameters length don't match");
++ pdu->params_len = operand_count;
++ }
++
+ for (handler = session->control_handlers; handler->pdu_id; handler++) {
+ if (handler->pdu_id == pdu->pdu_id)
+ break;
+--
+2.25.1
+
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#99112):
https://lists.openembedded.org/g/openembedded-devel/message/99112
Mute This Topic: https://lists.openembedded.org/mt/94225396/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
