[SRU Focal 0/2] CVE-2022-42896
Cengiz Can
cengiz.can at canonical.com
Fri Dec 2 18:19:21 UTC 2022
[Impact]
There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim.
[Fix]
There are no stable backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
accepting connection request for invalid SPSM") yet.
Since 5.4 doesn't have commit 15f02b910562 ("Bluetooth: L2CAP: Add initial code
for Enhanced Credit Based Mode"), `l2cap_ecred_conn_req` changes can not be
applied to our tree.
This shouldn't be a huge problem since disclosure[1] talks mainly about
`l2cap_le_connect_req` anyway.
Also mote that 2nd patch in the series was not exactly tagged as a fix but was
suggested as a complementing fix by disclosure[1].
[1] https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
[Test case]
Compile, boot and basic functionality tested. There are two public PoCs
but neither produce understandable results.
[Potential regression]
Low. Patches only add validation checks.
Luiz Augusto von Dentz (2):
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--
2.37.2
More information about the kernel-team
mailing list