ACK: [SRU][X][PATCH 0/1] CVE-2022-49909
Edoardo Canepa
edoardo.canepa at canonical.com
Tue Jun 10 06:34:14 UTC 2025
On 19/05/25 15:19, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2022-49909
>
> [ Impact ]
>
> Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
>
> When l2cap_recv_frame() is invoked to receive data, and the cid is
> L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
> However, after a channel is created, the hold operation of the channel
> is not performed. In this case, the value of channel reference counting
> is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
> invokes the close hook function of A2MP to release the channel. Then
> l2cap_chan_unlock(chan) will trigger UAF issue.
>
> [ Fix ]
>
> Bionic: Fixed via upstream stable updates (LP: #2003596)
> Xenial: Cherry picked from mainline
> Trusty: Not affected
>
> [ Test Plan ]
>
> Compile tested only
>
> [ Where Problems Could Occur ]
>
> A regression here is unlikely due to the very limited scope
> of the patch.
> _______________________________________________
> Canonical-kernel-esm mailing list -- canonical-kernel-esm at lists.canonical.com
> To unsubscribe send an email to canonical-kernel-esm-leave at lists.canonical.com
>
Acked-by: Edoardo Canepa <edoardo.canepa at canonical.com>
More information about the kernel-team
mailing list