APPLIED[J/HWE-5.17]/Cmnt: [SRU OEM-5.14/Jammy/HWE-5.17/Kinetic 0/2] CVE-2022-42896
Stefan Bader
stefan.bader at canonical.com
Wed Dec 14 15:45:27 UTC 2022
On 02.12.22 19:10, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
>
> [Fix]
> Clean cherry picks from upstream. Note that 2nd patch in the series was
> not exactly tagged as a fix but was suggested as a complementing fix by
> https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
>
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results.
>
> [Potential regression]
> Low. Patches only add validation checks.
>
> Luiz Augusto von Dentz (2):
> Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
> Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
>
> net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++-
> 1 file changed, 26 insertions(+), 1 deletion(-)
>
For Jammy/5.15 patch#1 was already applied via v5.15.78 which had an additional
fixup:
Bluetooth: L2CAP: Fix build errors in some archs
Applied to jammy:linux/master-next jammy:linux-hwe-5.17/hwe-5.17-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221214/f61255ad/attachment-0001.sig>
More information about the kernel-team
mailing list