Received: by 2002:a05:622a:1442:b0:3a5:28ea:c4b9 with SMTP id v2csp869171qtx;
        Mon, 31 Oct 2022 16:15:33 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM4jP+KVyXAKzU54LTxn8/Iv+V9RWgexinncZJ/EpM/cYapTdPdW6jZ9ziNxPEmq21UFyEHF
X-Received: by 2002:a17:906:cc49:b0:7ad:93d1:5eaf with SMTP id mm9-20020a170906cc4900b007ad93d15eafmr15255444ejb.393.1667258132904;
        Mon, 31 Oct 2022 16:15:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667258132; cv=none;
        d=google.com; s=arc-20160816;
        b=ci9SYUvXttN8FSphzbpG6FoeG0nhbd0QttrkIPTF1ZknbsnHDGaeIhsr4tJA/dm0NE
         k8dvd/U3Mp17zphZ7cvX1wK056UWldikBU4cvwTgIQoFphtc2hmncdMYG1hyjtkdFbNt
         48aLkjBOGnZYtehjghA+D3SRIQc1ZzF/FFeXyr5ALbYvVgCld3ABXcopFKDWd4gMI+93
         LWMdstGM72S5C69fZzlBxvpvBikwmU8bPZ6GSK1/EBjTIMcUmfSQa9I6/Wy0pDGskzjh
         BalhsaqGX5sFa4oNLtEM2wtcXu4Re8019g7wbMByyJ0kQZU4bgxqoNKi5VQZ8pnBrOVs
         1Vzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=6R/WnsH+NuYq3o+d818Ucu1aiYrLxIO5vd/W2av6KvQ=;
        b=D0RXf3d49KiM29WHA9NrPmXAj7oozMJMSVvgeeLSBNNgDxLtyv/qwxPQ4DHzqz5QF2
         mrOQg35kugJ6dFMX3lazImcs94U5cZmCSnSWjEbVP1bksU06XS0nZuatbZsQcswT/9Xk
         dNF7HSpwQxvaoh44ZBHODuL7G+ic5hqxfdbLu0kTZUopD119DXl1cW8ll/yi0ODJoBHz
         b/4okOAv7HwCvHT66hZjPXNE+NfY1S3iWw/Koka0rXpxlfGzvgrbnsmb1LmL5C0naeXx
         73qU5soISJnPxwyrCIikNO+ew7RJcCu4GOf+AKDF/BJU84s11kyiig0MVJQhY1dbhSIo
         pDQA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=R3bRFVtb;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id fj4-20020a1709069c8400b0078adad5930esi10172160ejc.255.2022.10.31.16.15.01;
        Mon, 31 Oct 2022 16:15:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=R3bRFVtb;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229588AbiJaXLT (ORCPT <rfc822;iconictragedy@gmail.com>
        + 99 others); Mon, 31 Oct 2022 19:11:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36964 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229926AbiJaXLK (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 31 Oct 2022 19:11:10 -0400
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C16415A0E
        for <linux-bluetooth@vger.kernel.org>; Mon, 31 Oct 2022 16:10:55 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id b185so11968620pfb.9
        for <linux-bluetooth@vger.kernel.org>; Mon, 31 Oct 2022 16:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=6R/WnsH+NuYq3o+d818Ucu1aiYrLxIO5vd/W2av6KvQ=;
        b=R3bRFVtbOGpjtN99YWCHWxLH56SpQxnyI7NyZAX5kYu/iFO7Q5806MSiRjwrH45Y1O
         wfc5M27olJ+wU6we8B+ez0K9Skv7oxCURcoau0kc/hNF31hhPORpOyQW6yLeXOyf9lDX
         trSrnteACLRJDRjij/j794ZwKhAdvxZJ3Bqx6sE2udIP0yeEIwyyXZtk8W/UZE0ln5/l
         9yAs2shFOt2SqGf+eo3UrUagUnvGTbPfnLjt0ujQPQfw3waaPvnLVL7iC2GX7t570/Fg
         QBLSXgRevnep5VgYx4E2eK+Dk9YCTv8KacRCnCN8Bc6Ixomtpt7OmsOJVRL70ZBdx2BC
         yviA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=6R/WnsH+NuYq3o+d818Ucu1aiYrLxIO5vd/W2av6KvQ=;
        b=Y0maauUE0HPKczkUmXCEKSn8HznH9tnMoYt5BpJOrt3ED7M1JxjoRMI727YNdPIs4F
         3I/mydoBGf0olDVG3TnJXv4mJQlz8NLrdSCPJeLldIrTYEuuvMxJSrJ0IqrImGNPODCp
         ssJ8VoPKl9qxA6YdVY+VmhmROTJG1pqbpHZlioBNL3RH62hIJukhM+WEJbfmKa6g+LiN
         tSqSNx+JvUBnLZ7FHRkVhhrPEIVqKuiiPYH6/MnSPqw9ne9gLX5VyhQ5mGwL4Crl9XV1
         2pH6LZNdSW6indsAwHe76S+0WGxKeeyrjXwVUsM66hVrR1+aJy+K6aCFiTGDBFkbtXhS
         K+PQ==
X-Gm-Message-State: ACrzQf2gmOFudInF3txTeqxtf1+5wu0ozSFoqdKKdw2b80rPqhTW3vvl
        2BvXlR6X5u7ZgeBDcKpKqSrcW9Vw3Ew=
X-Received: by 2002:a05:6a00:198d:b0:56b:fa7b:56ed with SMTP id d13-20020a056a00198d00b0056bfa7b56edmr16410195pfl.81.1667257854147;
        Mon, 31 Oct 2022 16:10:54 -0700 (PDT)
Received: from lvondent-mobl4.. (c-71-56-157-77.hsd1.or.comcast.net. [71.56.157.77])
        by smtp.gmail.com with ESMTPSA id e15-20020a170902ed8f00b0016be834d54asm4919936plj.306.2022.10.31.16.10.53
        for <linux-bluetooth@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 31 Oct 2022 16:10:53 -0700 (PDT)
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To:     linux-bluetooth@vger.kernel.org
Subject: [PATCH] Bluetooth: L2CAP: Fix attempting to access uninitialized memory
Date:   Mon, 31 Oct 2022 16:10:52 -0700
Message-Id: <20221031231052.2718430-1-luiz.dentz@gmail.com>
X-Mailer: git-send-email 2.37.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.

CVE: CVE-2022-42895
CC: stable@vger.kernel.org
Reported-by: Tamás Koczka <poprdi@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/l2cap_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index cdddd2c779f2..93802b27f2a5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3764,7 +3764,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
 					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
 
-			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
+			if (remote_efs &&
+			    test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
 				chan->remote_id = efs.id;
 				chan->remote_stype = efs.stype;
 				chan->remote_msdu = le16_to_cpu(efs.msdu);
-- 
2.37.3