[SRU Focal v2 0/4] CVE-2022-42896

Cengiz Can cengiz.can at canonical.com
Sat Dec 3 18:40:43 UTC 2022 

[Impact]
There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim.

[Fix]
Actual fix is achieved by following commits:

- "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
- "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"

There are no <= 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
accepting connection request for invalid SPSM") yet. So I had to pick 2 other
patches in order to make the cherry pick clean for those fixes.

Among these dependency commits, commit 15f02b910562 ("Bluetooth: L2CAP: Add 
initial code for Enhanced Credit Based Mode") had to be backported.

Changes are minor and only in `l2cap_sock.c` `l2cap_sock_setsockopt_old`. 

We already had an `if (err < 0)` check there and 15f02b910562 introduces a 
BT_DBG on that line. So I looked up to upstream and decided to keep both.

[Test case]
Compile, boot and basic functionality tested. There are two public PoCs
but neither produce understandable results. (Basic functionality test:
l2test from bluez package, ran with USB and PCI bluetooth transceivers).

[Potential regression]
Unknown. Although all patches except the last two have been in stable and
upstream for quite a while, it's still hard to predict what might break.

Luiz Augusto von Dentz (4):
  Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode
  Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode
  Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
  Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

 include/net/bluetooth/l2cap.h |  43 +++
 net/bluetooth/l2cap_core.c    | 572 +++++++++++++++++++++++++++++++++-
 net/bluetooth/l2cap_sock.c    |  24 +-
 3 files changed, 618 insertions(+), 21 deletions(-)

-- 
2.37.2

More information about the kernel-team mailing list