Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (CVE-2022-42896)

3 files changed, 74 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 234f163a1..ac32cd4be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -182,6 +182,8 @@ linux (6.0.7-1) UNRELEASED; urgency=medium
   * wifi: ath11k: avoid deadlock during regulatory update in
     ath11k_regd_update() (Closes: #1023329)
   * Bump ABI to 3 (Fixes FTBFS on arm64 and armhf) (Closes: #1023298)
+  * Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
+    (CVE-2022-42896)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 03 Nov 2022 12:34:11 +0100
 
diff --git a/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch b/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch
new file mode 100644
index 000000000..1e05c1a5c
--- /dev/null
+++ b/debian/patches/bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch
@@ -0,0 +1,71 @@
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 31 Oct 2022 16:10:32 -0700
+Subject: Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/711f8c3fb3db61897080468586b970c87c61d9e4
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-42896
+
+The Bluetooth spec states that the valid range for SPSM is from
+0x0001-0x00ff so it is invalid to accept values outside of this range:
+
+  BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+  page 1059:
+  Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+
+CVE: CVE-2022-42896
+CC: stable@vger.kernel.org
+Reported-by: Tamás Koczka <poprdi@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+---
+ net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 1fbe087d6ae4..3eee915fb245 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
+ 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
+ 	       scid, mtu, mps);
+ 
++	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
++	 * page 1059:
++	 *
++	 * Valid range: 0x0001-0x00ff
++	 *
++	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
++	 */
++	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
++		result = L2CAP_CR_LE_BAD_PSM;
++		chan = NULL;
++		goto response;
++	}
++
+ 	/* Check if we have socket listening on psm */
+ 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
+ 					 &conn->hcon->dst, LE_LINK);
+@@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ 
+ 	psm  = req->psm;
+ 
++	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
++	 * page 1059:
++	 *
++	 * Valid range: 0x0001-0x00ff
++	 *
++	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
++	 */
++	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
++		result = L2CAP_CR_LE_BAD_PSM;
++		goto response;
++	}
++
+ 	BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
+ 
+ 	memset(&pdu, 0, sizeof(pdu));
+-- 
+2.38.1
+
diff --git a/debian/patches/series b/debian/patches/series
index d3ca53839..1b8fe8433 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,6 +100,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
+bugfix/all/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch