| Message ID | 20221203174842.543278-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2022-42896 | expand |
On 12/3/22 10:48 AM, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > There are no 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix > accepting connection request for invalid SPSM") yet. > > Actual fix is achieved by following commits: > > - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm" > - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" > > Others are there to make the cherry pick clean for those fixes. > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. (Basic functionality test: > l2test from bluez package, ran with USB and PCI bluetooth transceivers). > > [Potential regression] > Unknown. Although all patches except the last two have been in stable and > upstream for quite a while, it's still hard to predict what might break. > > Luiz Augusto von Dentz (7): > Bluetooth: L2CAP: Derive MPS from connection MTU > Bluetooth: L2CAP: Derive rx credits from MTU and MPS > Bluetooth: Fix not initializing L2CAP tx_credits > Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode > Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > Mallikarjun Phulari (1): > Bluetooth: Use separate L2CAP LE credit based connection result values > > include/net/bluetooth/l2cap.h | 63 +++- > net/bluetooth/l2cap_core.c | 647 +++++++++++++++++++++++++++++++--- > net/bluetooth/l2cap_sock.c | 23 +- > 3 files changed, 671 insertions(+), 62 deletions(-) > > -- > 2.37.2 > > Do you really think patches 1-6 are necessary ? That is a lot of code churn for what is ultimately a couple of 'if' checks. What are the v2 changes with this submission ?
On 05/12/2022 18:51, Tim Gardner wrote: > Do you really think patches 1-6 are necessary ? That is a lot of code > churn for what is ultimately a couple of 'if' checks. Well it certainly isn't ideal. At first I wanted to just apply half of the fix. That didn't feel right. Then I ended up pulling each and every one of the dependencies. Then it got out of hand. You are right. It's too much. I'll send a v3. > > What are the v2 changes with this submission ? Sorry that v1 never left my inbox.
On 12/5/22 9:03 AM, Cengiz Can wrote: > On 05/12/2022 18:51, Tim Gardner wrote: >> Do you really think patches 1-6 are necessary ? That is a lot of code >> churn for what is ultimately a couple of 'if' checks. > > Well it certainly isn't ideal. At first I wanted to just apply half of > the fix. That didn't feel right. Then I ended up pulling each and every > one of the dependencies. Then it got out of hand. > > You are right. It's too much. > > I'll send a v3. > >> >> What are the v2 changes with this submission ? > > Sorry that v1 never left my inbox. > Terminating this thread
[Impact] There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. [Fix] There are no 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM") yet. Actual fix is achieved by following commits: - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm" - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" Others are there to make the cherry pick clean for those fixes. [Test case] Compile, boot and basic functionality tested. There are two public PoCs but neither produce understandable results. (Basic functionality test: l2test from bluez package, ran with USB and PCI bluetooth transceivers). [Potential regression] Unknown. Although all patches except the last two have been in stable and upstream for quite a while, it's still hard to predict what might break. Luiz Augusto von Dentz (7): Bluetooth: L2CAP: Derive MPS from connection MTU Bluetooth: L2CAP: Derive rx credits from MTU and MPS Bluetooth: Fix not initializing L2CAP tx_credits Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm Mallikarjun Phulari (1): Bluetooth: Use separate L2CAP LE credit based connection result values include/net/bluetooth/l2cap.h | 63 +++- net/bluetooth/l2cap_core.c | 647 +++++++++++++++++++++++++++++++--- net/bluetooth/l2cap_sock.c | 23 +- 3 files changed, 671 insertions(+), 62 deletions(-) -- 2.37.2