From patchwork Sat Dec 10 03:21:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1714354 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=GVmkH9/o; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NTY8L6BJ9z23ns for ; Sat, 10 Dec 2022 14:21:38 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1p3qQd-0005tw-JQ; Sat, 10 Dec 2022 03:21:31 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1p3qQa-0005si-Py for kernel-team@lists.ubuntu.com; Sat, 10 Dec 2022 03:21:28 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 74D5D44339 for ; Sat, 10 Dec 2022 03:21:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1670642488; bh=r1me7HqxDkiNcS+DAM/SuOmKsW9lKDtCjMHtEpwL8LY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=GVmkH9/oiGlKXLllLSS6R28I3bZTI4uWL7NQ9sov6iztvXpODlbviyzrcxWZno7W5 Yo6DkKqBuoop3F6R14r+3WPxSksLYdqGboJsg9hYjCmpmTrkhbXcRGHK5rUgKNbb4i C6G4TG7yoRgG9jhlaIjdj0t8g9MIdAgKG1XDvs19pqULPwDt15zcGgVD2uX2DV+x3r z3vtx0uzvegRJAWijLYslmiqRjT16LXYg1J296mlHgvJnab/9ez3ggQsRBhk9GjRHw pBoLMIkdPJDhr8KfyiTFTG+60hukfVBHCS3mBP3ztk9bm3voYl4yKgieu/TPKQ4a/Z LG7ZX2cVD5WYQ== Received: by mail-ej1-f71.google.com with SMTP id qk16-20020a1709077f9000b007c080a6b4ddso4073083ejc.18 for ; Fri, 09 Dec 2022 19:21:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r1me7HqxDkiNcS+DAM/SuOmKsW9lKDtCjMHtEpwL8LY=; b=oSSnrPmogF1CYM+sSdNKUDg9sWm/YKCJqB31RtUu4a23yH6JQ22PJed+QZ6jPfniva iW4JYPeFyc8Jm5NZ6vnl9AeetR4eFfjBe5PK8pXh9FQztUZnmSyhJNo8XU+4nxO1fkyG FJQBvGDUFg4pNBEtiGr6aog15H4HPoxv4cB3GVPDs2SVnlUihcEs85jhLWIVT79ZRVkG F2DhmSj4e9tSNBDliUHnEikeyBV1cxO6PgLeNUQ4RTKiD//hLHa1Uwj27+kLlzatMIGF hE+VjnNRSa/8yK3KSVDlkFhmXc+mPJc83Uy4v1u5mFYVkP5pznmXyMo+3TSgpspY7JZ2 gCZg== X-Gm-Message-State: ANoB5plOvUCj/Vd5c9FAdWdh2r1hKPq54Q6Ps0MqKZcfVBcTvTIT7ZKD S6hMfKaYLmpHig/NbwXvKGpOcc/IsvqePR/32580f6Vfer2wsWCg8p5HRQ+2bSFZthkp4t3V4Sa wtBO0fQixR46XoAyMbGyVvOkX1r6Nn+ysTLqiAsPyLg== X-Received: by 2002:a17:906:a283:b0:79f:cce3:e38a with SMTP id i3-20020a170906a28300b0079fcce3e38amr7171271ejz.9.1670642487864; Fri, 09 Dec 2022 19:21:27 -0800 (PST) X-Google-Smtp-Source: AA0mqf4iV/BpzF0+2jeOoef9IoRVf6WcVBZjJIYhjigJCv5EHWUDVInb1I5/hrWmRP82LyTbUQQs5w== X-Received: by 2002:a17:906:a283:b0:79f:cce3:e38a with SMTP id i3-20020a170906a28300b0079fcce3e38amr7171261ejz.9.1670642487578; Fri, 09 Dec 2022 19:21:27 -0800 (PST) Received: from localhost ([92.44.145.54]) by smtp.gmail.com with ESMTPSA id kz14-20020a17090777ce00b007af105a87cbsm554997ejc.152.2022.12.09.19.21.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 19:21:27 -0800 (PST) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic/Focal/OEM-5.14/Jammy/HWE-5.17/Kinetic 1/1] Bluetooth: L2CAP: Fix u8 overflow Date: Sat, 10 Dec 2022 06:21:10 +0300 Message-Id: <20221210032110.111051-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20221210032110.111051-1-cengiz.can@canonical.com> References: <20221210032110.111051-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sungwoo Kim By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases multiple times and eventually it will wrap around the maximum number (i.e., 255). This patch prevents this by adding a boundary check with L2CAP_MAX_CONF_RSP Btmon log: Bluetooth monitor ver 5.64 = Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 = Note: Bluetooth subsystem version 2.22 0.264636 @ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 = New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 @ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 = Open Index: 00:00:00:00:00:00 [hci0] 13.900426 (...) > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 invalid packet size (12 != 1033) 08 00 01 00 02 01 04 00 01 10 ff ff ............ > ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 invalid packet size (14 != 1547) 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... = bluetoothd: Bluetooth daemon 5.43 14.401828 > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 invalid packet size (12 != 1033) 08 00 01 00 04 01 04 00 40 00 00 00 ........@... Signed-off-by: Sungwoo Kim Signed-off-by: Luiz Augusto von Dentz CVE-2022-45934 (cherry picked from commit bcd70260ef56e0aee8a4fc6cd214a419900b0765) Signed-off-by: Cengiz Can --- net/bluetooth/l2cap_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 0fc30664249b..2d50cc9ab9b0 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4451,7 +4451,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, chan->ident = cmd->ident; l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); - chan->num_conf_rsp++; + if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) + chan->num_conf_rsp++; /* Reset config buffer. */ chan->conf_len = 0;