From: Luiz Augusto von Dentz <[email protected]>
The Bluetooth spec states that the valid range for SPSM is from
0x0001-0x00ff so it is invalid to accept values outside of this range:
BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
page 1059:
Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
CVE: CVE-2022-42896
CC: [email protected]
Reported-by: Tamás Koczka <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ef725ed41303..2978a34ea33f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
scid, mtu, mps);
+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+ * page 1059:
+ *
+ * Valid range: 0x0001-0x00ff
+ *
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+ */
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+ result = L2CAP_CR_LE_BAD_PSM;
+ chan = NULL;
+ goto response;
+ }
+
/* Check if we have socket listening on psm */
pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
&conn->hcon->dst, LE_LINK);
@@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
psm = req->psm;
+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+ * page 1059:
+ *
+ * Valid range: 0x0001-0x00ff
+ *
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+ */
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+ result = L2CAP_CR_LE_BAD_PSM;
+ goto response;
+ }
+
BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
memset(&pdu, 0, sizeof(pdu));
--
2.37.3
From: Luiz Augusto von Dentz <[email protected]>
l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2978a34ea33f..cdddd2c779f2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1990,7 +1990,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
continue;
- if (c->psm == psm) {
+ if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
int src_match, dst_match;
int src_any, dst_any;
--
2.37.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=690674
---Test result---
Test Summary:
CheckPatch PASS 2.61 seconds
GitLint PASS 1.53 seconds
SubjectPrefix PASS 1.27 seconds
BuildKernel PASS 33.98 seconds
BuildKernel32 PASS 30.91 seconds
Incremental Build with patchesPASS 52.58 seconds
TestRunner: Setup PASS 511.82 seconds
TestRunner: l2cap-tester PASS 17.23 seconds
TestRunner: iso-tester PASS 16.10 seconds
TestRunner: bnep-tester PASS 6.36 seconds
TestRunner: mgmt-tester PASS 103.63 seconds
TestRunner: rfcomm-tester PASS 10.15 seconds
TestRunner: sco-tester PASS 9.48 seconds
TestRunner: ioctl-tester PASS 10.63 seconds
TestRunner: mesh-tester PASS 7.82 seconds
TestRunner: smp-tester PASS 9.52 seconds
TestRunner: userchan-tester PASS 6.52 seconds
---
Regards,
Linux Bluetooth
Hi Luiz,
On Mon, 2022-10-31 at 16:10 -0700, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> The Bluetooth spec states that the valid range for SPSM is from
> 0x0001-0x00ff so it is invalid to accept values outside of this range:
>
> BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> page 1059:
> Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
>
> CVE: CVE-2022-42896
> CC: [email protected]
> Reported-by: Tamás Koczka <[email protected]>
Reviewed-by: Tedd Ho-Jeong An <[email protected]>
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> ---
> net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ef725ed41303..2978a34ea33f 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
> scid, mtu, mps);
>
> + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> + * page 1059:
> + *
> + * Valid range: 0x0001-0x00ff
> + *
> + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
> + */
> + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
> + result = L2CAP_CR_LE_BAD_PSM;
> + chan = NULL;
> + goto response;
> + }
> +
> /* Check if we have socket listening on psm */
> pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
> &conn->hcon->dst, LE_LINK);
> @@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>
> psm = req->psm;
>
> + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> + * page 1059:
> + *
> + * Valid range: 0x0001-0x00ff
> + *
> + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
> + */
> + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
> + result = L2CAP_CR_LE_BAD_PSM;
> + goto response;
> + }
> +
> BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
>
> memset(&pdu, 0, sizeof(pdu));
Regards,
Tedd
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 31 Oct 2022 16:10:32 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> The Bluetooth spec states that the valid range for SPSM is from
> 0x0001-0x00ff so it is invalid to accept values outside of this range:
>
> BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> page 1059:
> Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
>
> [...]
Here is the summary with links:
- [1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
https://git.kernel.org/bluetooth/bluetooth-next/c/a0978378c152
- [2/2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
https://git.kernel.org/bluetooth/bluetooth-next/c/6bdbca3c41e4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html