!122 [sync] PR-115: mgmt: Fix crash after pair command

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

Fix-crash-after-pair-command.patch

@@ -0,0 +1,76 @@
+From: Vinit Mehta <vinit.mehta@nxp.com>
+Date: 2023-12-19 11:58:01 +0530
+Subject: [PATCH] Fix crash after pair command
+
+After pair command, if the user doesn't provide any input on bluetoothctl
+CLI interface after receiving the prompt(yes/no) below crash is observed:
+
+dbus[782]: arguments to dbus_message_get_no_reply() were incorrect,
+assertion "message != NULL" failed in file
+/usr/src/debug/dbus/1.14.10-r0/dbus/dbus-message.c line 3250.
+This is normally a bug in some application using the D-Bus library.
+/usr/lib/libc.so.6(+0x27534) [0xffffa1b67534]
+/usr/lib/libc.so.6(__libc_start_main+0x9c) [0xffffa1b6760c]
+bluetoothctl(+0x188f0) [0xaaaac9c088f0]
+Aborted (core dumped)
+
+---
+ client/agent.c | 15 +++++++++------
+ tools/btmgmt.c | 12 +++++++++---
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/client/agent.c b/client/agent.c
+index 4def1b4..77aa565 100644
+--- a/client/agent.c
++++ b/client/agent.c
+@@ -90,14 +90,17 @@ static void confirm_response(const char *input, void *user_data)
+ {
+ 	DBusConnection *conn = user_data;
+ 
+-	if (!strcmp(input, "yes"))
+-		g_dbus_send_reply(conn, pending_message, DBUS_TYPE_INVALID);
+-	else if (!strcmp(input, "no"))
+-		g_dbus_send_error(conn, pending_message,
++	if (pending_message != NULL) {
++		if (!strcmp(input, "yes"))
++			g_dbus_send_reply(conn, pending_message,
++					DBUS_TYPE_INVALID);
++		else if (!strcmp(input, "no"))
++			g_dbus_send_error(conn, pending_message,
+ 					"org.bluez.Error.Rejected", NULL);
+-	else
+-		g_dbus_send_error(conn, pending_message,
++		else
++			g_dbus_send_error(conn, pending_message,
+ 					"org.bluez.Error.Canceled", NULL);
++	}
+ }
+ 
+ static void agent_release(DBusConnection *conn)
+diff --git a/tools/btmgmt.c b/tools/btmgmt.c
+index f631de4..de7d17d 100644
+--- a/tools/btmgmt.c
++++ b/tools/btmgmt.c
+@@ -843,10 +843,16 @@ static void prompt_input(const char *input, void *user_data)
+ 								&prompt.addr);
+ 		break;
+ 	case MGMT_EV_USER_CONFIRM_REQUEST:
+-		if (input[0] == 'y' || input[0] == 'Y')
+-			mgmt_confirm_reply(prompt.index, &prompt.addr);
+-		else
++		if (len) {
++			if (input[0] == 'y' || input[0] == 'Y')
++				mgmt_confirm_reply(prompt.index, &prompt.addr);
++			else
++				mgmt_confirm_neg_reply(prompt.index,
++						&prompt.addr);
++		} else {
+ 			mgmt_confirm_neg_reply(prompt.index, &prompt.addr);
++			bt_shell_set_prompt(PROMPT_ON);
++		}
+ 		break;
+ 	}
+ }
+-- 
+2.27.0
+

backport-CVE-2023-27349.patch

@@ -0,0 +1,46 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+     #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+     #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+     #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+     #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+     #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+     #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+     #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+     #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
+     #8 0x5596445bb963 in main src/main.c:1289
+     #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+     #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+     #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+---
+ profiles/audio/avrcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index 80f34c7a7..dda9a303f 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, uint8_t code,
+ 	case AVRCP_EVENT_UIDS_CHANGED:
+ 		avrcp_uids_changed(session, pdu);
+ 		break;
++	default:
++		if (event > AVRCP_EVENT_LAST) {
++			warn("Unsupported event: %u", event);
++			return FALSE;
++		}
++		break;
+ 	}
+ 
+ 	session->registered_events |= (1 << event);
+-- 
+cgit 

backport-CVE-2023-45866.patch

@@ -0,0 +1,47 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index d89da2d..e6f9e84 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,7 +92,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 166aff4..d0b6449 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -17,5 +17,5 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+--
+2.33.0

backport-CVE-2023-50229-CVE-2023-50230.patch

@@ -0,0 +1,63 @@
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 19 Sep 2023 12:14:01 -0700
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length
+
+Primary/Secundary Counters are supposed to be 16 bytes values, if the
+server has implemented them incorrectly it may lead to the following
+crash:
+
+=================================================================
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+
+ READ of size 48 at 0x607000001878 thread T0
+     #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
+     #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
+     #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
+     #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
+     #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
+     #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
+     #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
+     #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
+     #8 0x564df698b9ee in handle_response gobex/gobex.c:1140
+     #9 0x564df698cdea in incoming_data gobex/gobex.c:1385
+     #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+     #11 0x7f95a13526c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+     #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+     #13 0x564df6977d41 in main obexd/src/main.c:307
+     #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+     #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
+     #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
+ 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
+
+ allocated by thread T0 here:
+     #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+     #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
+---
+ obexd/client/pbap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
+index 1ed8c68ecc..2d2aa95089 100644
+--- a/obexd/client/pbap.c
++++ b/obexd/client/pbap.c
+@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+ 
+-	if (memcmp(pbap->primary, data, len)) {
++	if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
+ 		memcpy(pbap->primary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),
+@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+ 
+-	if (memcmp(pbap->secondary, data, len)) {
++	if (len == sizeof(pbap->secondary) &&
++			memcmp(pbap->secondary, data, len)) {
+ 		memcpy(pbap->secondary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),

bluez-5.54-sw.patch

@@ -0,0 +1,25 @@
+diff -Nuar bluez-5.54/ell/missing.h bluez-5.54-sw/ell/missing.h
+--- bluez-5.54/ell/missing.h	2019-04-03 17:49:21.000000000 +0000
++++ bluez-5.54-sw/ell/missing.h	2022-07-20 13:43:50.420000000 +0000
+@@ -27,6 +27,8 @@
+ #    define __NR_getrandom 318
+ #  elif defined(__i386__)
+ #    define __NR_getrandom 355
++#  elif defined(__sw_64__)
++#    define __NR_getrandom 511
+ #  elif defined(__arm__)
+ #    define __NR_getrandom 384
+ # elif defined(__aarch64__)
+diff -Nuar bluez-5.54/profiles/network/bnep.c bluez-5.54-sw/profiles/network/bnep.c
+--- bluez-5.54/profiles/network/bnep.c	2019-09-19 18:51:03.000000000 +0000
++++ bluez-5.54-sw/profiles/network/bnep.c	2022-07-20 13:58:58.390000000 +0000
+@@ -268,7 +268,8 @@
+ 
+ 	memset(&timeo, 0, sizeof(timeo));
+ 	timeo.tv_sec = 0;
+-	setsockopt(sk, SOL_SOCKET, SO_RCVTIMEO, &timeo, sizeof(timeo));
++/*	setsockopt(sk, SOL_SOCKET, SO_RCVTIMEO, &timeo, sizeof(timeo));	*/
++	setsockopt(sk, SOL_SOCKET, SO_RCVTIMEO_OLD, &timeo, sizeof(timeo));
+ 
+ 	sk = g_io_channel_unix_get_fd(session->io);
+ 	if (bnep_connadd(sk, session->src, session->iface) < 0)

bluez.spec

@@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
 Version:          5.54
-Release:          15
+Release:          20
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@@ -34,6 +34,13 @@ Patch6009:        backport-CVE-2021-41229.patch
 Patch6010:	  backport-CVE-2022-39176.patch
 Patch6011:	  backport-0001-CVE-2022-39177.patch
 Patch6012:	  backport-0002-CVE-2022-39177.patch
+%ifarch sw_64
+Patch6013:	  bluez-5.54-sw.patch
+%endif
+Patch6014:        backport-CVE-2023-27349.patch
+Patch6015:        backport-CVE-2023-45866.patch
+Patch6016:        backport-CVE-2023-50229-CVE-2023-50230.patch
+Patch6017:        Fix-crash-after-pair-command.patch
 
 BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
 BuildRequires:    glib2-devel libical-devel readline-devel 
@@ -190,6 +197,21 @@ make check
 %{_mandir}/man8/*
 
 %changelog
+* Tue Jun 4 2024 xuchenchen <xuchenchen@kylinos.cn> - 5.54-20
+- mgmt: Fix crash after pair command
+
+* Fri Dec 22 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-19
+- fix CVE-2023-50229,CVE-2023-50230
+
+* Fri Dec 08 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-18
+- fix CVE-2023-45866
+
+* Tue Apr 18 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 5.54-17
+- DESC:fix CVE-2023-27349
+
+* Thu Dec 08 2022 zhangzhixin <zhixin.zhang@i-soft.com.cn> - 5.54-16
+- add sw64 patch
+
 * Wed Sep 07 2022 wangkerong <wangkerong@h-partners.com> - 5.54-15
 - DESC:fix CVE-2022-39176,CVE-2022-39177