aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2020-03-13 09:09:38 +0800
committerAnuj Mittal <anuj.mittal@intel.com>2020-03-16 15:49:02 +0800
commitc940e4b858d6be28b198770768117ecc098fa0d3 (patch)
tree74bc3323cdcb07338adbe862131eec56b1dcbf92 /meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
parent878817358eb7c25ffa48d10dde9475299674a96c (diff)
downloadopenembedded-core-contrib-c940e4b858d6be28b198770768117ecc098fa0d3.tar.gz
openembedded-core-contrib-c940e4b858d6be28b198770768117ecc098fa0d3.tar.bz2
openembedded-core-contrib-c940e4b858d6be28b198770768117ecc098fa0d3.zip
bluez: fix CVE-2020-0556
It was discovered that BlueZ's HID and HOGP profiles implementations don't specifically require bonding between the device and the host. This creates an opportunity for an malicious device to connect to a target host to either impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source. (From OE-Core rev: d598f8eee0741148416e8660e10c716654205cb5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bed169a07b04a7dc003958fa309e6ff761f85a72)
Diffstat (limited to 'meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch')
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
new file mode 100644
index 0000000000..a6bf31e14b
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
@@ -0,0 +1,35 @@
+From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:16 +0000
+Subject: [PATCH 1/2] HOGP must only accept data from bonded devices.
+
+HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2020-0556
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017dcb..dfac68921 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ return -EINVAL;
+ }
+
++ /* HOGP 1.0 Section 6.1 requires bonding */
++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
++ return -ECONNREFUSED;
++
+ /* TODO: Replace GAttrib with bt_gatt_client */
+ bt_hog_attach(dev->hog, attrib);
+
+--
+2.24.1
+