[SRU Bionic/Focal v3 0/2] CVE-2022-42896
Cengiz Can
cengiz.can at canonical.com
Tue Dec 6 13:17:49 UTC 2022
[Impact]
There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim.
[Fix]
Actual fix is achieved by following commits:
- "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
- "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
[Test case]
Compile, boot and basic functionality tested. There are two public PoCs
but neither produce understandable results. (Basic functionality test:
l2test from bluez package, ran with USB and PCI bluetooth transceivers).
[Potential regression]
Low. Fixes only add extra checks.
[Changes in v3]
- Dropped unnecessary dependency patches.
- (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return
value.
Luiz Augusto von Dentz (2):
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--
2.37.2
More information about the kernel-team
mailing list