Received: by 2002:a05:622a:1442:b0:3a5:28ea:c4b9 with SMTP id v2csp867646qtx; Mon, 31 Oct 2022 16:13:14 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Gi5ObdQYWYA5VeeEWtX8pQyMwE8AF8+ZlhjegDqTQFKiuDTLlge2GUjYjAgFonWYAruCR X-Received: by 2002:a05:6402:1e96:b0:462:89aa:d402 with SMTP id f22-20020a0564021e9600b0046289aad402mr15941547edf.190.1667257993832; Mon, 31 Oct 2022 16:13:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667257993; cv=none; d=google.com; s=arc-20160816; b=gbv6qYvvSHwc4GhXaKRmpzSt3vFOkzxZp/mkcyCbyk+M2jTHD+Je/f0kVKuQPWhknA c0pkESn0yZdwrU7TM7yRbrBzLRTDX1AhCM3xzSTKw6q/xnG+OB3vicK4MMiCZF3gGjTc cIksnxY9y5twK9sjP5XV4XJ8zjSZyHU3/w/HVCXlpz9L7PztaXg1m3aEkFQZ5RiogGmR dy1tkmS6TfCaIi8iXuaPzVE/R3f+W7zOVvgBbRHry9aGf31t1cwgwR9FUhEktqC5teI6 J+ry4yOeE5QQn4dYUGUML9SCmin6v62sYoiBKbiGaXsk0fZ1K4/n2FsO0CQ17usLJxzq AVGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=sG9vTJFKbrcfPj8G/bF5aXTDFvy1Lzr1P6CitAHPyok=; b=06LCvXmF7mocVXmFSCWwMWxk0NA3XNDBZJLUvp43aw0NGaEsqdyOuWsKx06FcKCi1G BxEVw6hD/MFHmt4qOxBrd5z0l0tEmOh9BFXIQlxES5OkS/Qj4UTYGZMstj1JjSV75xhh Kt8c4p5GL4aDreG/6ukS0YDrH+2TNhDa8hTChBw79MCJ6tlV14Ka0CnWQ4zpeCiNlCyd YJkfCJEPe18I7frIPOAhhOwg/czXdNtPAb1CS8oq7cHc5Tr9sKARQWCfarPOXcqwLw15 gFQ0Cx+L6H9C2/3OhCgoX6yU+CXPsmFUT5dzR7H57AAT4x+6Iq2GIhcau9EQQXmM/n93 6uLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XWFQ7Ljg; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j27-20020a170906279b00b0078bdbb52361si6734245ejc.209.2022.10.31.16.12.49; Mon, 31 Oct 2022 16:13:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XWFQ7Ljg; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229909AbiJaXLB (ORCPT + 99 others); Mon, 31 Oct 2022 19:11:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229952AbiJaXKt (ORCPT ); Mon, 31 Oct 2022 19:10:49 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 510C815FD0 for ; Mon, 31 Oct 2022 16:10:36 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id g24so12055937plq.3 for ; Mon, 31 Oct 2022 16:10:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=sG9vTJFKbrcfPj8G/bF5aXTDFvy1Lzr1P6CitAHPyok=; b=XWFQ7LjgNqWWKC8U3GHRls248dauK+VvbYmh4eSnCoMPcTBi+dJrtA6C6a/oHgEMBf +84SqeVjEbCFVKWPzgOHGDLVN5j6AkwvMgMdLlOVX1nV98ndpmgJafkrBm2mk7HDcN/6 n9LnXN823VlDCwYJu/MdyUMQJJeai7o4ITCplFLN4kza0WVsQHk2rhbcWL09/faTsKJ0 kB8lMLBHEOLnO+qpFXRD+QMKVQlpXAODrLEH5t3u/dI927nr5PgRXMAcc75GX5hfMVz6 D+fdYAdepaZEPOBdxVLhUOCdhSCzO1YWJNgfzwTc2mesneo8sqCjwcFNDksKV3BXdFpZ Y6HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sG9vTJFKbrcfPj8G/bF5aXTDFvy1Lzr1P6CitAHPyok=; b=ot/lQMl7955QntjM0OGBpVs4HF0Ma/tuixwz0yCvmS0pc13rlFzviVC9tW+UQQ+Dl4 dw+9/3YnrZQkg76kVsYYAwQMBYTWE7uOSfIwDo0cYwQin6u+bCpfEWiOsmnNnGwAQwWM latmI11r6XnTAVoJ62oWisEGRiabXVkkvcpb+JHEErUBTckTDYRhH+DAdsqaW8kd4Vng iFoTBqv7eCnsWfDeJ+mkM/nJ0VAj7b7KpmebzMyXWp5dvFP75dK6y9T/WrEIRWhFq9b2 FPT2MdWQrxzvWgFgzUsbkThdh2SEiy3CV4MhRdi23q3Qc7dzKOvC1rXWI2u8rx+MqSjl yDfg== X-Gm-Message-State: ACrzQf228XRy6xaNnGA9dLSDw4YVSa1Es9epqQ0xK6JCneP511qTOADh UUF9sCJfb31CmdevlqI4919fVERNtRk= X-Received: by 2002:a17:902:7c12:b0:186:8111:ade2 with SMTP id x18-20020a1709027c1200b001868111ade2mr16531179pll.111.1667257835338; Mon, 31 Oct 2022 16:10:35 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-56-157-77.hsd1.or.comcast.net. [71.56.157.77]) by smtp.gmail.com with ESMTPSA id b7-20020aa78ec7000000b00561382a5a25sm5104265pfr.26.2022.10.31.16.10.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Oct 2022 16:10:34 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH 1/2] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM Date: Mon, 31 Oct 2022 16:10:32 -0700 Message-Id: <20221031231033.2718204-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz The Bluetooth spec states that the valid range for SPSM is from 0x0001-0x00ff so it is invalid to accept values outside of this range: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A page 1059: Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges CVE: CVE-2022-42896 CC: stable@vger.kernel.org Reported-by: Tamás Koczka Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index ef725ed41303..2978a34ea33f 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5813,6 +5813,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), scid, mtu, mps); + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + * page 1059: + * + * Valid range: 0x0001-0x00ff + * + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + */ + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { + result = L2CAP_CR_LE_BAD_PSM; + chan = NULL; + goto response; + } + /* Check if we have socket listening on psm */ pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, &conn->hcon->dst, LE_LINK); @@ -6001,6 +6014,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, psm = req->psm; + /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + * page 1059: + * + * Valid range: 0x0001-0x00ff + * + * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + */ + if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { + result = L2CAP_CR_LE_BAD_PSM; + goto response; + } + BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); memset(&pdu, 0, sizeof(pdu)); -- 2.37.3