From patchwork Fri Jan 20 03:58:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1729264 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=s6zK5uAB; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Nym2c0nSsz23gL for ; Fri, 20 Jan 2023 14:59:04 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pIiYL-0003DP-Qg; Fri, 20 Jan 2023 03:58:57 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pIiYJ-0003CI-TT for kernel-team@lists.ubuntu.com; Fri, 20 Jan 2023 03:58:55 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 78A35421FE for ; Fri, 20 Jan 2023 03:58:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1674187135; bh=vTbDzo/HEAiin16lzhNSdnonc5VQqcJiqAWwxOhJxpQ=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=s6zK5uAB8abfWbEDfcKcdArIbCxBh921tNIW3pnQht8+yYGLiHtB2LGYfmjwzlJi4 BDf4cIUCAdCnHEb/MA/jk8ECKN9slBO/FE9w1MR7s367W+EK2d1Dqw7bjRPYvOtSFV ywwarWDkGR/RvAqOk/YbjH1MFlM7hFlo8xSvVVEeZfiOo0DjUyXMSkerE+bVQR3Q/9 WVN7WuXQhchOzv3cKz/Zl78CtnV5rBpjLG+sC90KE7LqDcmPCSbBKQ1ljC1RTnnHM1 YIYb9iG6utiDDUg8SZ7V6I3QKW2ZU76LVGQMNOZ8HsouQVLYtDYK3AUmTSYOMEzOlM c3eEiv3lDPGeA== Received: by mail-wm1-f72.google.com with SMTP id o22-20020a05600c511600b003db02b921f1so4061665wms.8 for ; Thu, 19 Jan 2023 19:58:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vTbDzo/HEAiin16lzhNSdnonc5VQqcJiqAWwxOhJxpQ=; b=I8k0X4C1cMWHyq6VS/Nzs6ohHZo0H5n0F0xyV0BvesOwcE7UAD6oPelqUq0vVIO+rh bbBW9HzuLREDyR/1pw/ElqKOHWMzK+ehPNEr8YzUSxh9x7eZejAKPV0A0YJuG4khhBV2 08LmA4437wYplFW8U6O9wMrZJDSda8X+H6FyzUOwOeEbPnKskMgn4BloQmTObcqP+Nq2 66IEXYnzCKiI3Ho+YgG0hPUsN//hmZSP5prxq1K6N4+rUVgwjr6bo34z12kP3ytbrPtp Gcv2hsjeY8+VcGG7thTujaZMBsZNseRVUN8KatB+EnHGYRGbS7QTnzMzrUdjZ7EuRv+W 9MSQ== X-Gm-Message-State: AFqh2kofEitpSAoBFa3rCiMykBBeZrh5hQhPtCEroJMXYOruIuUuH2v4 QZKWZ3HhBIc4c3fHQr4/yNLzbB2cwnc273ZtLRu7lcUNvLfLJhKSAgk1QwTSLbAZHp1k5jRo241 mCMA5j2FQqOsFJkHMVu/etG9ox+bTLsKOkVVbjP1RjA== X-Received: by 2002:a1c:7315:0:b0:3d3:5a4a:9101 with SMTP id d21-20020a1c7315000000b003d35a4a9101mr20999745wmb.23.1674187134372; Thu, 19 Jan 2023 19:58:54 -0800 (PST) X-Google-Smtp-Source: AMrXdXu3612OY3ggFxBikBvtELl/mCo4W1Q4/aosCEY3rCeSdg8Di0NOjU6/nt7psXxr25g4upIwGA== X-Received: by 2002:a1c:7315:0:b0:3d3:5a4a:9101 with SMTP id d21-20020a1c7315000000b003d35a4a9101mr20999734wmb.23.1674187134071; Thu, 19 Jan 2023 19:58:54 -0800 (PST) Received: from localhost ([176.234.90.170]) by smtp.gmail.com with ESMTPSA id h19-20020a05600c351300b003cfd4e6400csm982236wmq.19.2023.01.19.19.58.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jan 2023 19:58:53 -0800 (PST) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic, OEM-5.14, HWE-5.17 1/1] Bluetooth: L2CAP: Fix attempting to access uninitialized memory Date: Fri, 20 Jan 2023 06:58:38 +0300 Message-Id: <20230120035838.46635-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230120035838.46635-1-cengiz.can@canonical.com> References: <20230120035838.46635-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Luiz Augusto von Dentz On l2cap_parse_conf_req the variable efs is only initialized if remote_efs has been set. CVE: CVE-2022-42895 CC: stable@vger.kernel.org Reported-by: Tamás Koczka Signed-off-by: Luiz Augusto von Dentz Reviewed-by: Tedd Ho-Jeong An CVE-2022-42895 (cherry picked from commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e) Signed-off-by: Cengiz Can --- net/bluetooth/l2cap_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 0c8fa65a0a8a..578714013972 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3737,7 +3737,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), (unsigned long) &rfc, endptr - ptr); - if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { + if (remote_efs && + test_bit(FLAG_EFS_ENABLE, &chan->flags)) { chan->remote_id = efs.id; chan->remote_stype = efs.stype; chan->remote_msdu = le16_to_cpu(efs.msdu);