New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764477 link

Starred by 1 user
Status: Verified
Owner:
mcchou@chromium.org
Last visit > 30 days ago
Closed: Sep 2017
Cc:
josephsih@chromium.org
kevinhayes@google.com
nettesh...@google.com
snanda@chromium.org
keta...@chromium.org
kevinhayes@chromium.org
dmitrygr@google.com
groeck@chromium.org
mcchou@chromium.org
ejcaruso@chromium.org
josa...@chromium.org
puneetster@chromium.org
bhthompson@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250

Project Member Reported by mnissler@chromium.org, Sep 12 2017 
Breakout from  issue 764425 .

See https://drive.google.com/file/d/0B7tynhulKyCYamp0Q3FoamJ1TFk/view for description.

Bottom line: We need to patch bluez.

Assigning to snanda@ to find an owner.

Comment 1 by mnissler@chromium.org, Sep 12 2017

Cc: puneetster@chromium.org

Comment 2 by mnissler@chromium.org, Sep 12 2017

Cc: mcchou@chromium.org

Comment 3 by mcchou@chromium.org, Sep 12 2017

Cc: josephsih@chromium.org

Comment 4 by snanda@chromium.org, Sep 12 2017

Owner: dmitrygr@google.com
Dmitry, could you please take a look?
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 13 2017

Labels: Pri-1

Comment 6 by mnissler@chromium.org, Sep 13 2017 

Here's the patch: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09

Can you get this tested and landed soonish, i.e. today or tomorrow?
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/bluez/+/f23c82781f95b280f555b352492df23397df3fd6

commit f23c82781f95b280f555b352492df23397df3fd6
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Sep 13 16:39:10 2017

UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function

Check if there is enough data to continue otherwise return an error.

BUG= chromium:764477 
TEST=Run bluetooth tests

(cherry picked from commit 9e009647b14e810e06626dde7f1bb9ea3c375d09)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: Ib9b49cb17d5964daad5c9b377744020f968c0521
Reviewed-on: https://chromium-review.googlesource.com/664819
Trybot-Ready: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/f23c82781f95b280f555b352492df23397df3fd6/src/sdpd-request.c

Comment 9 by groeck@chromium.org, Sep 13 2017

Labels: Merge-Request-61
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 13 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by groeck@chromium.org, Sep 13 2017

Owner: groeck@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/bluez/+/64c547ad0da6a3430838fb3978bf281830d0721a

commit 64c547ad0da6a3430838fb3978bf281830d0721a
Author: Miao-chen Chou <mcchou@chromium.org>
Date: Wed Sep 13 18:20:49 2017

Revert "UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function"

This reverts commit f23c82781f95b280f555b352492df23397df3fd6.

Reason for revert: master branch is no longer active, land this in chromeos-5.44 branch instead.

Original change's description:
> UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
> 
> Check if there is enough data to continue otherwise return an error.
> 
> BUG= chromium:764477 
> TEST=Run bluetooth tests
> 
> (cherry picked from commit 9e009647b14e810e06626dde7f1bb9ea3c375d09)
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> 
> Change-Id: Ib9b49cb17d5964daad5c9b377744020f968c0521
> Reviewed-on: https://chromium-review.googlesource.com/664819
> Trybot-Ready: Guenter Roeck <groeck@chromium.org>
> Reviewed-by: Mattias Nissler <mnissler@chromium.org>
> Commit-Queue: Guenter Roeck <groeck@chromium.org>
> Tested-by: Guenter Roeck <groeck@chromium.org>

Bug:  chromium:764477 
Change-Id: If8fbbbdcd15dcb53aa47d5bb31d69bd734f873d2
Reviewed-on: https://chromium-review.googlesource.com/665359
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Miao-chen Chou <mcchou@chromium.org>
Tested-by: Miao-chen Chou <mcchou@chromium.org>

[modify] https://crrev.com/64c547ad0da6a3430838fb3978bf281830d0721a/src/sdpd-request.c

Comment 13 by groeck@chromium.org, Sep 13 2017

Owner: mcchou@chromium.org

Comment 14 by keta...@chromium.org, Sep 13 2017

Labels: -Merge-Review-61 Merge-Approved-61
Approving merge to M61.
Project Member

Comment 15 by bugdroid1@chromium.org, Sep 14 2017

Labels: merge-merged-chromeos-5.44
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/bluez/+/e6e029e72360f39fdcab56fc0d108c795de9bd51

commit e6e029e72360f39fdcab56fc0d108c795de9bd51
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu Sep 14 00:13:55 2017

UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function

Check if there is enough data to continue otherwise return an error.

BUG= chromium:764477 
TEST=Run bluetooth tests

Change-Id: I7fa958937d9fbc4d5f216b74bb5fa1ddbf648aca
Reviewed-on: https://chromium-review.googlesource.com/665353
Commit-Ready: Miao-chen Chou <mcchou@chromium.org>
Tested-by: Miao-chen Chou <mcchou@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>

[modify] https://crrev.com/e6e029e72360f39fdcab56fc0d108c795de9bd51/src/sdpd-request.c

Comment 16 by mnissler@chromium.org, Sep 14 2017

Cc: -bhthompson@chromium.org bhthomp...@chromium.orgf
Labels: Merge-Request-62
This needs merging into M62 as well.
Project Member

Comment 17 by bugdroid1@chromium.org, Sep 14 2017

Labels: merge-merged-release-R61-9765.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/bluez/+/3a9b8f5a363041df580e246bc473b91409969d90

commit 3a9b8f5a363041df580e246bc473b91409969d90
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu Sep 14 08:25:39 2017

UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function

Check if there is enough data to continue otherwise return an error.

BUG= chromium:764477 
TEST=Run bluetooth tests

Change-Id: I7fa958937d9fbc4d5f216b74bb5fa1ddbf648aca
Reviewed-on: https://chromium-review.googlesource.com/665353
Commit-Ready: Miao-chen Chou <mcchou@chromium.org>
Tested-by: Miao-chen Chou <mcchou@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
(cherry picked from commit e6e029e72360f39fdcab56fc0d108c795de9bd51)
Reviewed-on: https://chromium-review.googlesource.com/666797
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/3a9b8f5a363041df580e246bc473b91409969d90/src/sdpd-request.c

Comment 18 by mnissler@chromium.org, Sep 14 2017

Cc: -bhthomp...@chromium.orgf bhthompson@chromium.org

Comment 19 by mnissler@chromium.org, Sep 14 2017

Labels: -Merge-Approved-61

Comment 20 by groeck@chromium.org, Sep 14 2017 

@mnissler: Re merge M62: I was told previously that Merge-Approved-X would imply Merge-Approved-(X+1), and that I should only request a merge for the oldest release. Is this not the official policy ? If so, what is the official policy, and can I look it up somewhere so I can point to it if needed, ie if someone tells me again to only request a merge to the oldest release ?
Project Member

Comment 21 by sheriffbot@chromium.org, Sep 14 2017

Labels: -Merge-Request-62 Merge-Review-62
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by bhthompson@google.com, Sep 14 2017

Labels: -Merge-Review-62 Merge-Approved-62
In general it is correct that if you merge into N-1 you should be merged into N first. I would still recommend making your merge requests milestone specific though, the TPM for the N-1 should point out that it needs to be merged in the N before approving.

The merge policy is discussed in the announcement email, the template is at https://sites.google.com/a/google.com/chromeos/for-team-members/chronos-download/pmo/template-branchcreated

Consider this merge approved for 62.
Project Member

Comment 23 by bugdroid1@chromium.org, Sep 18 2017

Labels: merge-merged-release-R62-9901.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/bluez/+/6bb12c0b4892facbbf821e9d8e87c8b73f838629

commit 6bb12c0b4892facbbf821e9d8e87c8b73f838629
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon Sep 18 08:15:59 2017

UPSTREAM: sdp: Fix Out-of-bounds heap read in service_search_attr_req function

Check if there is enough data to continue otherwise return an error.

BUG= chromium:764477 
TEST=Run bluetooth tests

Change-Id: I7fa958937d9fbc4d5f216b74bb5fa1ddbf648aca
Reviewed-on: https://chromium-review.googlesource.com/665353
Commit-Ready: Miao-chen Chou <mcchou@chromium.org>
Tested-by: Miao-chen Chou <mcchou@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
(cherry picked from commit e6e029e72360f39fdcab56fc0d108c795de9bd51)
Reviewed-on: https://chromium-review.googlesource.com/666796
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/6bb12c0b4892facbbf821e9d8e87c8b73f838629/src/sdpd-request.c

Comment 24 by mnissler@chromium.org, Sep 18 2017

Labels: -Merge-Approved-62
Status: Fixed (was: Started)
groeck: It's been a long time since I last read official policies ;-) For security bugs, I generally tend to loop in release folks (cc'ing them in) for all affected milestones rather sooner than later to make sure everyone is aware. For critical bugs, I usually also start an email thread to discuss roll-out logistics.
Project Member

Comment 25 by sheriffbot@chromium.org, Sep 18 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 26 by mnissler@chromium.org, Sep 19 2017

Labels: -M-61 M-60 Merge-Request-60
Putting this on Josafat's radar for a potential M60 respin.

Comment 27 by mnissler@chromium.org, Sep 20 2017

Cc: kevinhayes@chromium.org
Project Member

Comment 28 by sheriffbot@chromium.org, Sep 20 2017

Labels: -M-60 M-61

Comment 29 by mnissler@chromium.org, Sep 25 2017

Cc: kevinhayes@google.com
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Project Member

Comment 31 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 32 by sheriffbot@chromium.org, Dec 25 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Project Member

Comment 34 by sheriffbot@chromium.org, Mar 7 2018

Labels: -M-64 M-65
Project Member

Comment 35 by sheriffbot@chromium.org, Apr 19 2018

Labels: -M-65 M-66
Project Member

Comment 36 by sheriffbot@chromium.org, May 30 2018

Labels: -M-66 M-67
Project Member

Comment 37 by sheriffbot@chromium.org, Jul 25

Labels: -M-67 Target-68 M-68
Project Member

Comment 38 by sheriffbot@chromium.org, Sep 5

Labels: -M-68 M-69 Target-69

Comment 39 by pbath...@chromium.org, Sep 28

Status: Verified (was: Fixed)
Project Member

Comment 40 by sheriffbot@chromium.org, Oct 17

Labels: -M-69 Target-70 M-70
Project Member

Comment 41 by sheriffbot@chromium.org, Dec 5

Labels: -M-70 Target-71 M-71

Comment 42 by mnissler@chromium.org, Dec 6

Labels: -Merge-Request-60
Dropping stale merge request label in an attempt to silence sheriffbot.

Sign in to add a comment