--- /dev/null
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
+ flags
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Upstream-Status: Backport
+(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738)
+
+CVE: CVE-2021-0129
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/shared/att-types.h | 8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE 0x0200
+ #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
+ BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \
++ BT_ATT_PERM_READ_AUTHEN | \
++ BT_ATT_PERM_READ_ENCRYPT | \
++ BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \
++ BT_ATT_PERM_WRITE_AUTHEN | \
++ BT_ATT_PERM_WRITE_ENCRYPT | \
++ BT_ATT_PERM_WRITE_SECURE)
+
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST 0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+ return;
+ }
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+- BT_ATT_PERM_WRITE_AUTHEN |
+- BT_ATT_PERM_WRITE_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
+
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ goto error;
+ }
+
+- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(data->server, next_attr,
++ BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ goto error;
+ }
+
+- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+- BT_ATT_PERM_READ_AUTHEN |
+- BT_ATT_PERM_READ_ENCRYPT);
++ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ if (ecode)
+ goto error;
+
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ util_debug(server->debug_callback, server->debug_data,
+ "Prep Write Req - handle: 0x%04x", handle);
+
+- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+- BT_ATT_PERM_WRITE_AUTHEN |
+- BT_ATT_PERM_WRITE_ENCRYPT);
++ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ if (ecode)
+ goto error;
+
+--
+2.31.1
+
