Message ID | 20221202181017.405052-1-cengiz.can@canonical.com |
---|---|
Headers | show |
Series | CVE-2022-42896 | expand |
On 12/2/22 11:10 AM, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Clean cherry picks from upstream. Note that 2nd patch in the series was > not exactly tagged as a fix but was suggested as a complementing fix by > https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4 > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. > > [Potential regression] > Low. Patches only add validation checks. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com> Couldn't this have been a 2 patch series since both are clean cherry picks ? rtg
On 05/12/2022 16:49, Tim Gardner wrote: > Acked-by: Tim Gardner <tim.gardner@canonical.com> > > Couldn't this have been a 2 patch series since both are clean cherry picks ? I wasn't sure if the line/context would be the same since there are at least 40 lines of offset there. Previously I assumed that would be OK but I got bit by it on a different submission. Next time I'll re-re-apply my patch and test if it's indeed applicable to different trees. Thanks!
Cengiz Can kirjoitti 2.12.2022 klo 20.10: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Clean cherry picks from upstream. Note that 2nd patch in the series was > not exactly tagged as a fix but was suggested as a complementing fix by > https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4 > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. > > [Potential regression] > Low. Patches only add validation checks. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > applied to oem-kernels, thanks.
On 02.12.22 19:10, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Clean cherry picks from upstream. Note that 2nd patch in the series was > not exactly tagged as a fix but was suggested as a complementing fix by > https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4 > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. > > [Potential regression] > Low. Patches only add validation checks. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > With fixing up CVE mention in patch #1 and attempting to apply the K series to all (depending on outcome make cherry pick a backport). Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 02.12.22 19:10, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Clean cherry picks from upstream. Note that 2nd patch in the series was > not exactly tagged as a fix but was suggested as a complementing fix by > https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4 > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. > > [Potential regression] > Low. Patches only add validation checks. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > For Jammy/5.15 patch#1 was already applied via v5.15.78 which had an additional fixup: Bluetooth: L2CAP: Fix build errors in some archs Applied to jammy:linux/master-next jammy:linux-hwe-5.17/hwe-5.17-next. Thanks. -Stefan
Patch "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" already applied in Kinetic upstream stable patchset 2022-12-15 Other patch was applied cleanly to kinetic:linux master-next Thanks! - Luke On Fri, Dec 2, 2022 at 11:21 PM Cengiz Can <cengiz.can@canonical.com> wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s > net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may > allow > code execution and leaking kernel memory (respectively) remotely via > Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth > if > within proximity of the victim. > > [Fix] > Clean cherry picks from upstream. Note that 2nd patch in the series was > not exactly tagged as a fix but was suggested as a complementing fix by > > https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4 > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. > > [Potential regression] > Low. Patches only add validation checks. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > > -- > 2.37.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >