lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024102140-CVE-2022-48947-0ab5@gregkh>
Date: Mon, 21 Oct 2024 22:05:39 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-48947: Bluetooth: L2CAP: Fix u8 overflow

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix u8 overflow

By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
multiple times and eventually it will wrap around the maximum number
(i.e., 255).
This patch prevents this by adding a boundary check with
L2CAP_MAX_CONF_RSP

Btmon log:
Bluetooth monitor ver 5.64
= Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
= Note: Bluetooth subsystem version 2.22                               0.264636
@ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
        invalid packet size (12 != 1033)
        08 00 01 00 02 01 04 00 01 10 ff ff              ............
> ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
        invalid packet size (14 != 1547)
        0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
= bluetoothd: Bluetooth daemon 5.43                                   14.401828
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
        invalid packet size (12 != 1033)
        08 00 01 00 04 01 04 00 40 00 00 00              ........@...

The Linux kernel CVE team has assigned CVE-2022-48947 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.9.337 with commit 49d5867819ab
	Fixed in 4.14.303 with commit 95f1847a361c
	Fixed in 4.19.270 with commit ad528fde0702
	Fixed in 5.4.229 with commit 9fdc79b57143
	Fixed in 5.10.161 with commit f3fe6817156a
	Fixed in 5.15.85 with commit 19a78143961a
	Fixed in 6.0.15 with commit 5550bbf709c3
	Fixed in 6.1 with commit bcd70260ef56

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48947
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/bluetooth/l2cap_core.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/49d5867819ab7c744852b45509e8469839c07e0e
	https://git.kernel.org/stable/c/95f1847a361c7b4bf7d74c06ecb6968455082c1a
	https://git.kernel.org/stable/c/ad528fde0702903208d0a79d88d5a42ae3fc235b
	https://git.kernel.org/stable/c/9fdc79b571434af7bc742da40a3405f038b637a7
	https://git.kernel.org/stable/c/f3fe6817156a2ad4b06f01afab04638a34d7c9a6
	https://git.kernel.org/stable/c/19a78143961a197de8502f4f29c453b913dc3c29
	https://git.kernel.org/stable/c/5550bbf709c323194881737fd290c4bada9e6ead
	https://git.kernel.org/stable/c/bcd70260ef56e0aee8a4fc6cd214a419900b0765

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ