[SRU Bionic v2 0/8] CVE-2022-42896

Tim Gardner tim.gardner at canonical.com
Mon Dec 5 15:51:18 UTC 2022 

On 12/3/22 10:48 AM, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
> 
> [Fix]
> There are no 5.4 backports of commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
> accepting connection request for invalid SPSM") yet.
> 
> Actual fix is achieved by following commits:
> 
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
> 
> Others are there to make the cherry pick clean for those fixes.
> 
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
> 
> [Potential regression]
> Unknown. Although all patches except the last two have been in stable and
> upstream for quite a while, it's still hard to predict what might break.
> 
> Luiz Augusto von Dentz (7):
>    Bluetooth: L2CAP: Derive MPS from connection MTU
>    Bluetooth: L2CAP: Derive rx credits from MTU and MPS
>    Bluetooth: Fix not initializing L2CAP tx_credits
>    Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode
>    Bluetooth: L2CAP: Add definitions for Enhanced Credit Based Mode
>    Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
>    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
> 
> Mallikarjun Phulari (1):
>    Bluetooth: Use separate L2CAP LE credit based connection result values
> 
>   include/net/bluetooth/l2cap.h |  63 +++-
>   net/bluetooth/l2cap_core.c    | 647 +++++++++++++++++++++++++++++++---
>   net/bluetooth/l2cap_sock.c    |  23 +-
>   3 files changed, 671 insertions(+), 62 deletions(-)
> 
> --
> 2.37.2
> 
> 

Do you really think patches 1-6 are necessary ? That is a lot of code 
churn for what is ultimately a couple of 'if' checks.

What are the v2 changes with this submission ?
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list