lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 6 Dec 2022 14:27:27 +0300
From:   Cengiz Can <cengiz.can@...onical.com>
To:     Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc:     linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, Greg KH <gregkh@...uxfoundation.org>
Subject: Regarding 711f8c3fb3db "Bluetooth: L2CAP: Fix accepting connection
 request for invalid SPSM"

Hello Luiz Augusto,


I'm by no means a bluetooth expert so please bear with me if my
questions sound dumb or pointless.


I'm trying to backport commit 711f8c3fb3db ("Bluetooth: L2CAP: Fix
accepting connection request for invalid SPSM") to v4.15.y and older
stable kernels. (CVE-2022-42896)


According to the changes to `net/bluetooth/l2cap_core.c` there are two
functions that need patching:


* l2cap_le_connect_req
* l2cap_ecred_conn_req



Only the former exists in kernels <= v4.15.y. So I decided to skip

l2cap_ecred_conn_req for older kernels.


Do you think this would be enough to mitigate the issue?



If so, older kernels also lack definitions of L2CAP_CR_LE_BAD_PSM and

L2CAP_PSM_LE_DYN_END.


I see that L2CAP_CR_LE_BAD_PSM is basically the same as
L2CAP_CR_BAD_PSM so I used it to signify an error.


I think it should be enough for the sake of a backport.


What do you think?


Also the range boundary that is defined with L2CAP_PSM_LE_DYN_END is

non-existent in older kernels, and it's hard to decide which value to
use in this expression:

`if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {`


I can easily define L2CAP_PSM_LE_DYN_END as 0x00FF and call it a day
but I had to ask if we are absolutely sure if that's the right value.


Because the comment block states that it's from the "credit based
connection request" ranges but l2cap_le_connect_req is not credit based.

Is it?

Thank you in advance.

Cengiz Can

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ