APPLIED: [SRU][J/F][J:PATCH 0/4 F:PATCH 0/5] CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967
Stefan Bader
stefan.bader at canonical.com
Mon Nov 11 10:35:48 UTC 2024
On 28.10.24 08:58, Koichiro Den wrote:
> [Impact]
>
> These CVEs originated from the same patch series (no cover letter):
> [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input
> (https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/)
>
> Note that Jammy and Focal are not affected by CVE-2024-35964
> due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type").
>
> [Backport]
>
> For Focal, I opted not to backport the entire patch series
> "get rid of the address_space override in setsockopt v2"
> (https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/)
> as prerequisite since the regression risk would be higher due to
> extensive changes to the generic network subsystem. Additionally, the
> broad scope of set_fs() removal makes partial backporting potentially
> problematic if it would impact various subsystems. Instead, I introduced
> bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring
> that changes remain minimal and concise for those CVEs.
>
> [Fix]
>
> Noble: fixed via stable
> Jammy: Backport - see more details in each commit's provenance
> Focal: Backport - see more details in each commit's provenance
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: won't fix
>
> [Test Case]
>
> - Compile tested
> - Smatch tested on the changed files (with amd64 generic config)
>
> [Where problems could occur]
>
> These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets
> and does setsockopt(2) against them. Should there be any regression, it
> would be visible to the user via unpredicted system or network behavior.
>
>
> [Shortlog and diffstat for Jammy]
>
> Luiz Augusto von Dentz (4):
> Bluetooth: SCO: Fix not validating setsockopt user input
> Bluetooth: RFCOMM: Fix not validating setsockopt user input
> Bluetooth: L2CAP: Fix not validating setsockopt user input
> Bluetooth: hci_sock: Fix not validating setsockopt user input
>
> include/net/bluetooth/bluetooth.h | 9 ++++++
> net/bluetooth/hci_sock.c | 16 ++++------
> net/bluetooth/l2cap_sock.c | 52 ++++++++++++-------------------
> net/bluetooth/rfcomm/sock.c | 14 +++------
> net/bluetooth/sco.c | 19 +++++------
> 5 files changed, 48 insertions(+), 62 deletions(-)
>
> [Shortlog and diffstat for Focal]
>
> Dan Carpenter (1):
> Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()
>
> Luiz Augusto von Dentz (4):
> Bluetooth: SCO: Fix not validating setsockopt user input
> Bluetooth: RFCOMM: Fix not validating setsockopt user input
> Bluetooth: L2CAP: Fix not validating setsockopt user input
> Bluetooth: hci_sock: Fix not validating setsockopt user input
>
> include/net/bluetooth/bluetooth.h | 9 ++++++
> net/bluetooth/hci_sock.c | 16 ++++------
> net/bluetooth/l2cap_sock.c | 50 +++++++++++++------------------
> net/bluetooth/rfcomm/sock.c | 14 ++++-----
> net/bluetooth/sco.c | 14 ++++-----
> 5 files changed, 46 insertions(+), 57 deletions(-)
>
>
Applied to jammy,focal:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20241111/fb830619/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20241111/fb830619/attachment-0001.sig>
More information about the kernel-team
mailing list