| Message ID | 20221206131752.153365-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2022-42896 | expand |
On 12/6/22 6:17 AM, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Actual fix is achieved by following commits: > > - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm" > - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. (Basic functionality test: > l2test from bluez package, ran with USB and PCI bluetooth transceivers). > > [Potential regression] > Low. Fixes only add extra checks. > > [Changes in v3] > - Dropped unnecessary dependency patches. > - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return > value. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 06.12.22 14:17, Cengiz Can wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may allow > code execution and leaking kernel memory (respectively) remotely via Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Actual fix is achieved by following commits: > > - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm" > - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. (Basic functionality test: > l2test from bluez package, ran with USB and PCI bluetooth transceivers). > > [Potential regression] > Low. Fixes only add extra checks. > > [Changes in v3] > - Dropped unnecessary dependency patches. > - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as return > value. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
Applied to bionic linux master-next Thanks! - Luke On Tue, Dec 6, 2022 at 5:19 AM Cengiz Can <cengiz.can@canonical.com> wrote: > [Impact] > There are use-after-free vulnerabilities in the Linux kernel’s > net/bluetooth/ > l2cap_core.c’s l2cap_connect and l2cap_le_connect_req functions which may > allow > code execution and leaking kernel memory (respectively) remotely via > Bluetooth. > A remote attacker could execute code leaking kernel memory via Bluetooth if > within proximity of the victim. > > [Fix] > Actual fix is achieved by following commits: > > - "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm" > - "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM" > > [Test case] > Compile, boot and basic functionality tested. There are two public PoCs > but neither produce understandable results. (Basic functionality test: > l2test from bluez package, ran with USB and PCI bluetooth transceivers). > > [Potential regression] > Low. Fixes only add extra checks. > > [Changes in v3] > - Dropped unnecessary dependency patches. > - (Focal only) Used L2CAP_CR_BAD_PSM instead of L2CAP_CR_LE_BAD_PSM as > return > value. > > Luiz Augusto von Dentz (2): > Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM > Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm > > net/bluetooth/l2cap_core.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > -- > 2.37.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >