[SRU Bionic v2 0/8] CVE-2022-42896

[Cengiz Can]

[Impact]
There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim.

[Fix]
There are no 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
accepting connection request for invalid SPSM") yet.

Actual fix is achieved by following commits:

- "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
- "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"

Others are there to make the cherry pick clean for those fixes.

[Test case]
Compile, boot and basic functionality tested. There are two public PoCs
but neither produce understandable results. (Basic functionality test:
l2test from bluez package, ran with USB and PCI bluetooth transceivers).

[Potential regression]
Unknown. Although all patches except the last two have been in stable and
upstream for quite a while, it's still hard to predict what might break.

Luiz Augusto von Dentz (7):
  Bluetooth: L2CAP: Derive MPS from connection MTU
  Bluetooth: L2CAP: Derive rx credits from MTU and MPS
  Bluetooth: Fix not initializing L2CAP tx_credits
  Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode
  Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode
  Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
  Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

Mallikarjun Phulari (1):
  Bluetooth: Use separate L2CAP LE credit based connection result values

 include/net/bluetooth/l2cap.h |  63 +++-
 net/bluetooth/l2cap_core.c    | 647 +++++++++++++++++++++++++++++++---
 net/bluetooth/l2cap_sock.c    |  23 +-
 3 files changed, 671 insertions(+), 62 deletions(-)

--
2.37.2