| Message ID | 20221202181017.405052-2-cengiz.can@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Kinetic,1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM | expand |
On Fri, Dec 02, 2022 at 09:10:16PM +0300, Cengiz Can wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > The Bluetooth spec states that the valid range for SPSM is from > 0x0001-0x00ff so it is invalid to accept values outside of this range: > > BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A > page 1059: > Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges > > CVE: CVE-2022-42896 > CC: stable@vger.kernel.org > Reported-by: Tamás Koczka <poprdi@google.com> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com> > (cherry picked from commit 711f8c3fb3db61897080468586b970c87c61d9e4) You still need the CVE line here. I don't think our changelog machinery understands the line above. Cascardo. > Signed-off-by: Cengiz Can <cengiz.can@canonical.com> > --- > net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c > index 0fc30664249b..375ab8fa3bcf 100644 > --- a/net/bluetooth/l2cap_core.c > +++ b/net/bluetooth/l2cap_core.c > @@ -5812,6 +5812,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, > BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), > scid, mtu, mps); > > + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A > + * page 1059: > + * > + * Valid range: 0x0001-0x00ff > + * > + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges > + */ > + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { > + result = L2CAP_CR_LE_BAD_PSM; > + chan = NULL; > + goto response; > + } > + > /* Check if we have socket listening on psm */ > pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, > &conn->hcon->dst, LE_LINK); > @@ -6000,6 +6013,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, > > psm = req->psm; > > + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A > + * page 1059: > + * > + * Valid range: 0x0001-0x00ff > + * > + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges > + */ > + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { > + result = L2CAP_CR_LE_BAD_PSM; > + goto response; > + } > + > BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); > > memset(&pdu, 0, sizeof(pdu)); > -- > 2.37.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 05/12/2022 16:55, Thadeu Lima de Souza Cascardo wrote: >> CVE: CVE-2022-42896 >> CC: stable@vger.kernel.org >> Reported-by: Tamás Koczka <poprdi@google.com> >> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> >> Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com> >> (cherry picked from commit 711f8c3fb3db61897080468586b970c87c61d9e4) > > You still need the CVE line here. I don't think our changelog machinery > understands the line above. I wasn't sure about that. Thank you. > > Cascardo. >
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 0fc30664249b..375ab8fa3bcf 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5812,6 +5812,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), scid, mtu, mps); + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + * page 1059: + * + * Valid range: 0x0001-0x00ff + * + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + */ + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { + result = L2CAP_CR_LE_BAD_PSM; + chan = NULL; + goto response; + } + /* Check if we have socket listening on psm */ pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, &conn->hcon->dst, LE_LINK); @@ -6000,6 +6013,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, psm = req->psm; + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + * page 1059: + * + * Valid range: 0x0001-0x00ff + * + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + */ + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { + result = L2CAP_CR_LE_BAD_PSM; + goto response; + } + BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); memset(&pdu, 0, sizeof(pdu));