2022-10-31 23:13:14

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH 1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

From: Luiz Augusto von Dentz <[email protected]>

The Bluetooth spec states that the valid range for SPSM is from
0x0001-0x00ff so it is invalid to accept values outside of this range:

BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
page 1059:
Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges

CVE: CVE-2022-42896
CC: [email protected]
Reported-by: Tamás Koczka <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ef725ed41303..2978a34ea33f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
scid, mtu, mps);

+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+ * page 1059:
+ *
+ * Valid range: 0x0001-0x00ff
+ *
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+ */
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+ result = L2CAP_CR_LE_BAD_PSM;
+ chan = NULL;
+ goto response;
+ }
+
/* Check if we have socket listening on psm */
pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
&conn->hcon->dst, LE_LINK);
@@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,

psm = req->psm;

+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+ * page 1059:
+ *
+ * Valid range: 0x0001-0x00ff
+ *
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+ */
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+ result = L2CAP_CR_LE_BAD_PSM;
+ goto response;
+ }
+
BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);

memset(&pdu, 0, sizeof(pdu));
--
2.37.3



2022-10-31 23:13:43

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: [PATCH 2/2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

From: Luiz Augusto von Dentz <[email protected]>

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2978a34ea33f..cdddd2c779f2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1990,7 +1990,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
continue;

- if (c->psm == psm) {
+ if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
int src_match, dst_match;
int src_any, dst_any;

--
2.37.3


2022-11-01 00:23:48

by bluez.test.bot

[permalink] [raw]
Subject: RE: [1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=690674

---Test result---

Test Summary:
CheckPatch PASS 2.61 seconds
GitLint PASS 1.53 seconds
SubjectPrefix PASS 1.27 seconds
BuildKernel PASS 33.98 seconds
BuildKernel32 PASS 30.91 seconds
Incremental Build with patchesPASS 52.58 seconds
TestRunner: Setup PASS 511.82 seconds
TestRunner: l2cap-tester PASS 17.23 seconds
TestRunner: iso-tester PASS 16.10 seconds
TestRunner: bnep-tester PASS 6.36 seconds
TestRunner: mgmt-tester PASS 103.63 seconds
TestRunner: rfcomm-tester PASS 10.15 seconds
TestRunner: sco-tester PASS 9.48 seconds
TestRunner: ioctl-tester PASS 10.63 seconds
TestRunner: mesh-tester PASS 7.82 seconds
TestRunner: smp-tester PASS 9.52 seconds
TestRunner: userchan-tester PASS 6.52 seconds



---
Regards,
Linux Bluetooth

2022-11-01 19:11:23

by Tedd Ho-Jeong An

[permalink] [raw]
Subject: Re: [PATCH 1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Hi Luiz,

On Mon, 2022-10-31 at 16:10 -0700, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> The Bluetooth spec states that the valid range for SPSM is from
> 0x0001-0x00ff so it is invalid to accept values outside of this range:
>
>   BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
>   page 1059:
>   Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
>
> CVE: CVE-2022-42896
> CC: [email protected]
> Reported-by: Tamás Koczka <[email protected]>

Reviewed-by: Tedd Ho-Jeong An <[email protected]>

> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> ---
>  net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ef725ed41303..2978a34ea33f 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>         BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
>                scid, mtu, mps);
>  
> +       /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> +        * page 1059:
> +        *
> +        * Valid range: 0x0001-0x00ff
> +        *
> +        * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
> +        */
> +       if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
> +               result = L2CAP_CR_LE_BAD_PSM;
> +               chan = NULL;
> +               goto response;
> +       }
> +
>         /* Check if we have socket listening on psm */
>         pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
>                                          &conn->hcon->dst, LE_LINK);
> @@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>  
>         psm  = req->psm;
>  
> +       /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> +        * page 1059:
> +        *
> +        * Valid range: 0x0001-0x00ff
> +        *
> +        * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
> +        */
> +       if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
> +               result = L2CAP_CR_LE_BAD_PSM;
> +               goto response;
> +       }
> +
>         BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
>  
>         memset(&pdu, 0, sizeof(pdu));

Regards,
Tedd

2022-11-01 20:54:09

by patchwork-bot+bluetooth

[permalink] [raw]
Subject: Re: [PATCH 1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:

On Mon, 31 Oct 2022 16:10:32 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> The Bluetooth spec states that the valid range for SPSM is from
> 0x0001-0x00ff so it is invalid to accept values outside of this range:
>
> BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
> page 1059:
> Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
>
> [...]

Here is the summary with links:
- [1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
https://git.kernel.org/bluetooth/bluetooth-next/c/a0978378c152
- [2/2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
https://git.kernel.org/bluetooth/bluetooth-next/c/6bdbca3c41e4

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html