mbox series

[SRU,Bionic/Focal,v3,0/2] CVE-2022-42896

Message ID 20221206131752.153365-1-cengiz.can@canonical.com
Headers show
Series CVE-2022-42896 | expand

Message

Cengiz Can Dec. 6, 2022, 1:17 p.m. UTC
[Impact]
There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim.

[Fix]
Actual fix is achieved by following commits:

- "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
- "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"

[Test case]
Compile, boot and basic functionality tested. There are two public PoCs
but neither produce understandable results. (Basic functionality test:
l2test from bluez package, ran with USB and PCI bluetooth transceivers).

[Potential regression]
Low. Fixes only add extra checks.

[Changes in v3]
- Dropped unnecessary dependency patches.
- (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return 
value.

Luiz Augusto von Dentz (2):
  Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
  Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

 net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

Comments

Tim Gardner Dec. 6, 2022, 1:57 p.m. UTC | #1
On 12/6/22 6:17 AM, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
> 
> [Fix]
> Actual fix is achieved by following commits:
> 
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
> 
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
> 
> [Potential regression]
> Low. Fixes only add extra checks.
> 
> [Changes in v3]
> - Dropped unnecessary dependency patches.
> - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return
> value.
> 
> Luiz Augusto von Dentz (2):
>    Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
>    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
> 
>   net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
>   1 file changed, 14 insertions(+), 1 deletion(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader Dec. 13, 2022, 8:37 a.m. UTC | #2
On 06.12.22 14:17, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
> 
> [Fix]
> Actual fix is achieved by following commits:
> 
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
> 
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
> 
> [Potential regression]
> Low. Fixes only add extra checks.
> 
> [Changes in v3]
> - Dropped unnecessary dependency patches.
> - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return
> value.
> 
> Luiz Augusto von Dentz (2):
>    Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
>    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
> 
>   net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
>   1 file changed, 14 insertions(+), 1 deletion(-)
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Luke Nowakowski-Krijger Jan. 5, 2023, 3:51 a.m. UTC | #3
Applied to bionic linux master-next

Thanks!

- Luke

On Tue, Dec 6, 2022 at 5:19 AM Cengiz Can <cengiz.can@canonical.com> wrote:

> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s
> net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may
> allow
> code execution and leaking kernel memory (respectively) remotely via
> Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
>
> [Fix]
> Actual fix is achieved by following commits:
>
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
>
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
>
> [Potential regression]
> Low. Fixes only add extra checks.
>
> [Changes in v3]
> - Dropped unnecessary dependency patches.
> - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as
> return
> value.
>
> Luiz Augusto von Dentz (2):
>   Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
>   Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
>
>  net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
>
> --
> 2.37.2
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>