Hello Luiz Augusto,
I'm by no means a bluetooth expert so please bear with me if my
questions sound dumb or pointless.
I'm trying to backport commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
accepting connection request for invalid SPSM") to v4.15.y and older
stable kernels. (CVE-2022-42896)
According to the changes to `net/bluetooth/l2cap_core.c` there are two
functions that need patching:
* l2cap_le_connect_req
* l2cap_ecred_conn_req
Only the former exists in kernels <= v4.15.y. So I decided to skip
l2cap_ecred_conn_req for older kernels.
Do you think this would be enough to mitigate the issue?
If so, older kernels also lack definitions of L2CAP_CR_LE_BAD_PSM and
L2CAP_PSM_LE_DYN_END.
I see that L2CAP_CR_LE_BAD_PSM is basically the same as
L2CAP_CR_BAD_PSM so I used it to signify an error.
I think it should be enough for the sake of a backport.
What do you think?
Also the range boundary that is defined with L2CAP_PSM_LE_DYN_END is
non-existent in older kernels, and it's hard to decide which value to
use in this expression:
`if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {`
I can easily define L2CAP_PSM_LE_DYN_END as 0x00FF and call it a day
but I had to ask if we are absolutely sure if that's the right value.
Because the comment block states that it's from the "credit based
connection request" ranges but l2cap_le_connect_req is not credit based.
Is it?
Thank you in advance.
Cengiz Can
On Tue, Dec 06, 2022 at 02:27:27PM +0300, Cengiz Can wrote:
> Hello Luiz Augusto,
>
>
> I'm by no means a bluetooth expert so please bear with me if my
> questions sound dumb or pointless.
>
>
> I'm trying to backport commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
> accepting connection request for invalid SPSM") to v4.15.y and older
> stable kernels. (CVE-2022-42896)
>
>
> According to the changes to `net/bluetooth/l2cap_core.c` there are two
> functions that need patching:
>
>
> * l2cap_le_connect_req
> * l2cap_ecred_conn_req
>
>
>
> Only the former exists in kernels <= v4.15.y. So I decided to skip
>
> l2cap_ecred_conn_req for older kernels.
>
>
> Do you think this would be enough to mitigate the issue?
>
>
>
> If so, older kernels also lack definitions of L2CAP_CR_LE_BAD_PSM and
>
> L2CAP_PSM_LE_DYN_END.
>
>
> I see that L2CAP_CR_LE_BAD_PSM is basically the same as
> L2CAP_CR_BAD_PSM so I used it to signify an error.
>
>
> I think it should be enough for the sake of a backport.
>
>
> What do you think?
I've already done this backport and it is in the latest -rc1 stable
kernel releases. Is it not working for you there? Why do it again?
thanks,
greg k-h
On Tue, 2022-12-06 at 12:49 +0100, Greg KH wrote:
>
> I've already done this backport and it is in the latest -rc1 stable
> kernel releases. Is it not working for you there? Why do it again?
Sorry for the noise. I was just trying to make sure that I'm following
the right path.
I know that 4.4.y is no longer actively maintained but I was trying to
backport it to there as well.
Sorry for the noise again.
Cengiz Can