diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-11-05 09:24:30 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-11-05 09:25:03 +0100 |
commit | a2bcff6d96352df202a0bbeef645a2d7d18e0614 (patch) | |
tree | 260425e3c2ec9f441cd9272f82f5215b67ee941f | |
parent | 386d043b9b412bb9f27e3dd968796947efbded19 (diff) | |
download | linux-debian-a2bcff6d96352df202a0bbeef645a2d7d18e0614.tar.gz |
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (CVE-2022-42896)
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch | 71 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 74 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 234f163a1..ac32cd4be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -182,6 +182,8 @@ linux (6.0.7-1) UNRELEASED; urgency=medium * wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() (Closes: #1023329) * Bump ABI to 3 (Fixes FTBFS on arm64 and armhf) (Closes: #1023298) + * Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM + (CVE-2022-42896) -- Salvatore Bonaccorso <carnil@debian.org> Thu, 03 Nov 2022 12:34:11 +0100 diff --git a/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch b/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch new file mode 100644 index 000000000..1e05c1a5c --- /dev/null +++ b/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch @@ -0,0 +1,71 @@ +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Mon, 31 Oct 2022 16:10:32 -0700 +Subject: Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/711f8c3fb3db61897080468586b970c87c61d9e4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-42896 + +The Bluetooth spec states that the valid range for SPSM is from +0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + +CVE: CVE-2022-42896 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka <poprdi@google.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com> +--- + net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1fbe087d6ae4..3eee915fb245 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); +@@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, + + psm = req->psm; + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ goto response; ++ } ++ + BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); + + memset(&pdu, 0, sizeof(pdu)); +-- +2.38.1 + diff --git a/debian/patches/series b/debian/patches/series index d3ca53839..1b8fe8433 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -100,6 +100,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |