cve/published/2022/CVE-2022-48947.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48947: Bluetooth: L2CAP: Fix u8 overflow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: L2CAP: Fix u8 overflow

 By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
 multiple times and eventually it will wrap around the maximum number
 (i.e., 255).
 This patch prevents this by adding a boundary check with
 L2CAP_MAX_CONF_RSP

 Btmon log:
 Bluetooth monitor ver 5.64
 = Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
 = Note: Bluetooth subsystem version 2.22                               0.264636
 @ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
 = New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
 @ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
 = Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
 (...)
 > ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
         invalid packet size (12 != 1033)
         08 00 01 00 02 01 04 00 01 10 ff ff              ............
 > ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
         invalid packet size (14 != 1547)
         0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
 > ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
         invalid packet size (16 != 2061)
         0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
 > ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
         invalid packet size (16 != 2061)
         0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
 = bluetoothd: Bluetooth daemon 5.43                                   14.401828
 > ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
         invalid packet size (12 != 1033)
         08 00 01 00 04 01 04 00 40 00 00 00              ........@...

 The Linux kernel CVE team has assigned CVE-2022-48947 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.337 with commit 49d5867819ab7c744852b45509e8469839c07e0e
 	Fixed in 4.14.303 with commit 95f1847a361c7b4bf7d74c06ecb6968455082c1a
 	Fixed in 4.19.270 with commit ad528fde0702903208d0a79d88d5a42ae3fc235b
 	Fixed in 5.4.229 with commit 9fdc79b571434af7bc742da40a3405f038b637a7
 	Fixed in 5.10.161 with commit f3fe6817156a2ad4b06f01afab04638a34d7c9a6
 	Fixed in 5.15.85 with commit 19a78143961a197de8502f4f29c453b913dc3c29
 	Fixed in 6.0.15 with commit 5550bbf709c323194881737fd290c4bada9e6ead
 	Fixed in 6.1 with commit bcd70260ef56e0aee8a4fc6cd214a419900b0765

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48947
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/l2cap_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/49d5867819ab7c744852b45509e8469839c07e0e
 	https://git.kernel.org/stable/c/95f1847a361c7b4bf7d74c06ecb6968455082c1a
 	https://git.kernel.org/stable/c/ad528fde0702903208d0a79d88d5a42ae3fc235b
 	https://git.kernel.org/stable/c/9fdc79b571434af7bc742da40a3405f038b637a7
 	https://git.kernel.org/stable/c/f3fe6817156a2ad4b06f01afab04638a34d7c9a6
 	https://git.kernel.org/stable/c/19a78143961a197de8502f4f29c453b913dc3c29
 	https://git.kernel.org/stable/c/5550bbf709c323194881737fd290c4bada9e6ead
 	https://git.kernel.org/stable/c/bcd70260ef56e0aee8a4fc6cd214a419900b0765
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48947: Bluetooth: L2CAP: Fix u8 overflow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: L2CAP: Fix u8 overflow

	By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
	multiple times and eventually it will wrap around the maximum number
	(i.e., 255).
	This patch prevents this by adding a boundary check with
	L2CAP_MAX_CONF_RSP

	Btmon log:
	Bluetooth monitor ver 5.64
	= Note: Linux version 6.1.0-rc2 (x86_64) 0.264594
	= Note: Bluetooth subsystem version 2.22 0.264636
	@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191
	= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604
	@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741
	= Open Index: 00:00:00:00:00:00 [hci0] 13.900426
	(...)
	> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106
	invalid packet size (12 != 1033)
	08 00 01 00 02 01 04 00 01 10 ff ff ............
	> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561
	invalid packet size (14 != 1547)
	0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@.....
	> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390
	invalid packet size (16 != 2061)
	0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@.......
	> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932
	invalid packet size (16 != 2061)
	0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@.......
	= bluetoothd: Bluetooth daemon 5.43 14.401828
	> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753
	invalid packet size (12 != 1033)
	08 00 01 00 04 01 04 00 40 00 00 00 ........@...

	The Linux kernel CVE team has assigned CVE-2022-48947 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.337 with commit 49d5867819ab7c744852b45509e8469839c07e0e
	Fixed in 4.14.303 with commit 95f1847a361c7b4bf7d74c06ecb6968455082c1a
	Fixed in 4.19.270 with commit ad528fde0702903208d0a79d88d5a42ae3fc235b
	Fixed in 5.4.229 with commit 9fdc79b571434af7bc742da40a3405f038b637a7
	Fixed in 5.10.161 with commit f3fe6817156a2ad4b06f01afab04638a34d7c9a6
	Fixed in 5.15.85 with commit 19a78143961a197de8502f4f29c453b913dc3c29
	Fixed in 6.0.15 with commit 5550bbf709c323194881737fd290c4bada9e6ead
	Fixed in 6.1 with commit bcd70260ef56e0aee8a4fc6cd214a419900b0765

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48947
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/l2cap_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/49d5867819ab7c744852b45509e8469839c07e0e
	https://git.kernel.org/stable/c/95f1847a361c7b4bf7d74c06ecb6968455082c1a
	https://git.kernel.org/stable/c/ad528fde0702903208d0a79d88d5a42ae3fc235b
	https://git.kernel.org/stable/c/9fdc79b571434af7bc742da40a3405f038b637a7
	https://git.kernel.org/stable/c/f3fe6817156a2ad4b06f01afab04638a34d7c9a6
	https://git.kernel.org/stable/c/19a78143961a197de8502f4f29c453b913dc3c29
	https://git.kernel.org/stable/c/5550bbf709c323194881737fd290c4bada9e6ead
	https://git.kernel.org/stable/c/bcd70260ef56e0aee8a4fc6cd214a419900b0765