From: Luiz Augusto von Dentz <[email protected]>
On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.
CVE: CVE-2022-42895
CC: [email protected]
Reported-by: Tamás Koczka <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index cdddd2c779f2..93802b27f2a5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3764,7 +3764,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
+ if (remote_efs &&
+ test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
chan->remote_id = efs.id;
chan->remote_stype = efs.stype;
chan->remote_msdu = le16_to_cpu(efs.msdu);
--
2.37.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=690675
---Test result---
Test Summary:
CheckPatch PASS 1.42 seconds
GitLint PASS 0.83 seconds
SubjectPrefix PASS 0.64 seconds
BuildKernel PASS 45.44 seconds
BuildKernel32 PASS 40.67 seconds
Incremental Build with patchesPASS 63.07 seconds
TestRunner: Setup PASS 702.91 seconds
TestRunner: l2cap-tester PASS 21.89 seconds
TestRunner: iso-tester PASS 22.33 seconds
TestRunner: bnep-tester PASS 8.51 seconds
TestRunner: mgmt-tester PASS 136.60 seconds
TestRunner: rfcomm-tester PASS 13.46 seconds
TestRunner: sco-tester PASS 12.76 seconds
TestRunner: ioctl-tester PASS 14.63 seconds
TestRunner: mesh-tester PASS 9.94 seconds
TestRunner: smp-tester PASS 12.11 seconds
TestRunner: userchan-tester PASS 8.51 seconds
---
Regards,
Linux Bluetooth
Hi Luiz
On Mon, 2022-10-31 at 16:10 -0700, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> On l2cap_parse_conf_req the variable efs is only initialized if
> remote_efs has been set.
>
> CVE: CVE-2022-42895
> CC: [email protected]
> Reported-by: Tamás Koczka <[email protected]>
Reviewed-by: Tedd Ho-Jeong An <[email protected]>
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> ---
> net/bluetooth/l2cap_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index cdddd2c779f2..93802b27f2a5 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -3764,7 +3764,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
> l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
> sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
>
> - if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
> + if (remote_efs &&
> + test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
> chan->remote_id = efs.id;
> chan->remote_stype = efs.stype;
> chan->remote_msdu = le16_to_cpu(efs.msdu);
Regards,
Tedd
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 31 Oct 2022 16:10:52 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> On l2cap_parse_conf_req the variable efs is only initialized if
> remote_efs has been set.
>
> CVE: CVE-2022-42895
> CC: [email protected]
> Reported-by: Tamás Koczka <[email protected]>
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: Fix attempting to access uninitialized memory
https://git.kernel.org/bluetooth/bluetooth-next/c/34f07dd531a4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html