NAK: [SRU Focal v2 0/4] CVE-2022-42896

Tim Gardner tim.gardner at canonical.com
Tue Dec 6 16:17:17 UTC 2022 

On 12/3/22 11:40 AM, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
> 
> [Fix]
> Actual fix is achieved by following commits:
> 
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
> 
> There are no <= 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
> accepting connection request for invalid SPSM") yet. So I had to pick 2 other
> patches in order to make the cherry pick clean for those fixes.
> 
> Among these dependency commits, commit 15f02b910562 ("Bluetooth: L2CAP: Add
> initial code for Enhanced Credit Based Mode") had to be backported.
> 
> Changes are minor and only in `l2cap_sock.c` `l2cap_sock_setsockopt_old`.
> 
> We already had an `if (err < 0)` check there and 15f02b910562 introduces a
> BT_DBG on that line. So I looked up to upstream and decided to keep both.
> 
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
> 
> [Potential regression]
> Unknown. Although all patches except the last two have been in stable and
> upstream for quite a while, it's still hard to predict what might break.
> 
> Luiz Augusto von Dentz (4):
>    Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode
>    Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode
>    Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
>    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
> 
>   include/net/bluetooth/l2cap.h |  43 +++
>   net/bluetooth/l2cap_core.c    | 572 +++++++++++++++++++++++++++++++++-
>   net/bluetooth/l2cap_sock.c    |  24 +-
>   3 files changed, 618 insertions(+), 21 deletions(-)
> 

Capping off this thread
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list