From 9b0f79c02fd2e0e97c6dc541ddee4a6c76b8ede8 Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Mon, 1 Aug 2022 17:01:14 +0200
Subject: [PATCH] meta-digi: firmware-qualcomm: add Bluetooth Vulnerability
 CVE-2019-9506 resolution

This commit adds Bluetooth Vulnerability CVE-2019-9506
resolution to the firmware file.

CVE-2019-9506 is a Bluetooth key negotiation vulnerability.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

https://onedigi.atlassian.net/browse/DEL-7134
---
 .../firmware-qualcomm/firmware-qualcomm.bb         |   8 ++++++++
 .../firmware-qualcomm/nvm-tag33.bin                | Bin 0 -> 31 bytes
 2 files changed, 8 insertions(+)
 create mode 100644 meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm/nvm-tag33.bin

diff --git a/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm.bb b/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm.bb
index 9471f93d7..30dd69a8e 100644
--- a/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm.bb
+++ b/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm.bb
@@ -69,6 +69,7 @@ SRC_URI = " \
     ${FW_QUALCOMM_BT} \
     ${FW_QUALCOMM_WIFI} \
     ${@oe.utils.vartrue('QUALCOMM_FW_CCX_TAGS', '${FW_QUALCOMM_CCX}', '', d)} \
+    file://nvm-tag33.bin \
 "
 
 S = "${WORKDIR}"
@@ -128,6 +129,13 @@ do_install() {
 		# Enable Internal Clock in the bluetooth firmware
 		awk 'BEGIN{printf "%c%c", 0x01, 0x00}' | dd of="${D}${base_libdir}/firmware/qca/nvm_tlv_3.2.bin" bs=1 seek=93 count=2 conv=notrunc,fsync
 	fi
+
+	# Insert TAG33 for CVE-2019-9506 and update file length
+	cat nvm-tag33.bin >> "${D}${base_libdir}/firmware/qca/nvm_tlv_3.2.bin"
+	# Calculate the new firmware file size
+	length="$(expr $(stat -L -c %s ${D}${base_libdir}/firmware/qca/nvm_tlv_3.2.bin) - 4)"
+	/bin/echo -ne "\x$(printf '%02x' $(expr $length % 256))" | dd of=${D}${base_libdir}/firmware/qca/nvm_tlv_3.2.bin bs=1 seek=1 count=1 conv=notrunc,fsync
+	/bin/echo -ne "\x$(printf '%02x' $(expr $length / 256))" | dd of=${D}${base_libdir}/firmware/qca/nvm_tlv_3.2.bin bs=1 seek=2 count=1 conv=notrunc,fsync
 }
 
 QCA_MODEL ?= "qca6564"
diff --git a/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm/nvm-tag33.bin b/meta-digi-arm/recipes-bsp/firmware-qualcomm/firmware-qualcomm/nvm-tag33.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0c999154d01cd892dfd51ac3c33da0221a63ac1c
GIT binary patch
literal 31
fcmY#n5N3b@F;Nj=AwdC74t6$H7G@?!Ms@)J5Ox6n

literal 0
HcmV?d00001