ACK: [SRU Bionic/Focal v3 0/2] CVE-2022-42896
Tim Gardner
tim.gardner at canonical.com
Tue Dec 6 13:57:48 UTC 2022
On 12/6/22 6:17 AM, Cengiz Can wrote:
> [Impact]
> There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/
> l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow
> code execution and leaking kernel memory (respectively) remotely via Bluetooth.
> A remote attacker could execute code leaking kernel memory via Bluetooth if
> within proximity of the victim.
>
> [Fix]
> Actual fix is achieved by following commits:
>
> - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm"
> - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM"
>
> [Test case]
> Compile, boot and basic functionality tested. There are two public PoCs
> but neither produce understandable results. (Basic functionality test:
> l2test from bluez package, ran with USB and PCI bluetooth transceivers).
>
> [Potential regression]
> Low. Fixes only add extra checks.
>
> [Changes in v3]
> - Dropped unnecessary dependency patches.
> - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return
> value.
>
> Luiz Augusto von Dentz (2):
> Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
> Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
>
> net/bluetooth/l2cap_core.c | 15 ++++++++++++++-
> 1 file changed, 14 insertions(+), 1 deletion(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list