[LTS 8.8] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #41
Conversation
There was a problem hiding this comment.
Is f937b75 being added just because it came in the same series as 711f8c3 ? I don't see any indication that f937b75 is an actual fix for CVE-2022-42896. I don't think it hurts to add it, I am just wondering if I missed something
|
Good point, @bmastbergen. I based the fix on this statement from GHSA-pf87-6c9q-jvm4
It's therefore a form of appeal to authority (of Google), so it's less than ideal. The ideal would be to grok and replicate the exploit POC given there, which falls under the "Additional tests" that were not done, as admitted in the PR. Then I would be able to answer you precisely what role the f937b75 commit plays in fixing the bug. Please let me know @PlaidCat whether I should continue working on POC for this CVE. |
|
I am just now getting to this, I will let you know when I'm done looking at all the reviews |
Ok this is my take on applicability.@bmastbergen You are correct its not included in the "official" CVE numbering authorities: Major RPM EL distros also refer to the MITRE/NIST data
HOWEVER our friends over at Debian have actually read the Google Advisory and disclosure as @pvts-mat did. This is one of the things I hate about prior to Feb-2024 Kernel CVEs, when Kernel.org became the CNA authority. I suspect as a part of the CVE process this specific commit fell out due to not meeting specific criteria, wasn't tagged with CVE in the commit message like the previousc commit 711f8c3 (which is super unusual to begin with). In this case I think this is a condition of us trying to hold a Higher Bar and following the advisory and Debian model Proof Of Concept from Google@pvts-mat I do not believe you need to spend any more than a couple hours at best (which sounds like you already did). Depending on the system and its configuration that google worked with it may be difficult to reproduce and I'm not sure if VMs will provide all the details to emulate bluetooth or pass through or what have you. Requested Changes to the CommitThere are some changes needed to be done to the Commit message itself (github does not let me comment on commit message ... because of course we never need to comment on those). I see its missing an assumed piece as well, this is my mistake and gap. So @pvts-mat you will be the committer to achieve this you have to use Additionally the Finally I do not have it written down in the wiki so I will get that updated. We indent all the emails at the bottom to make sure if email bots (originally brought to our attention by a former RedHat Kernel engineer) so that people don't get mass bombarded from a kernel tree they likely do not care about. I know this wasn't available when you started but we have opened up some of our tooling and a goal I have is that we in CIQ transition all of our tools that are not specific to CIQ internal needs be from our internal tooling repo to this repo: In there is Original Commit Message from your tree
Proposed change to Commit message.^notice the "tab" indent |
@pvts-mat Ah, so I was missing something! Thanks for pointing that out (and good find). With the commit message fixups requested by @PlaidCat this should be good to go. |
pvts-mat
force-pushed
the
ciqlts8_8-CVE-2022-42896
branch
from
39e65d4 to
5249fcf
Compare
PlaidCat
changed the title
jira VULN-206 cve CVE-2022-42896 commit-author Luiz Augusto von Dentz <[email protected]> commit f937b75 l2cap_global_chan_by_psm shall not return fixed channels as they are not meant to be connected by (S)PSM. Signed-off-by: Luiz Augusto von Dentz <[email protected]> Reviewed-by: Tedd Ho-Jeong An <[email protected]> (cherry picked from commit f937b75) Signed-off-by: Marcin Wcisło <[email protected]>
pvts-mat
force-pushed
the
ciqlts8_8-CVE-2022-42896
branch
from
5249fcf to
28cccf1
Compare
|
Tests succeeded after pulling the latest |
jira VULN-206
cve CVE-2022-42896
commit-author Marcin Wcisło [email protected]
commit f937b75
Solution
The bug fix in the mainline is provided in two commits:
f937b758a188d6fd328a81367087eddbb2fce50f711f8c3fb3db61897080468586b970c87c61d9e4Of these the
711f8c3is already applied onciqlts8_8.Build
Kernel built on Rocky 9 machine with
from the https://gitlab.conclusive.pl/devices/rocky-patching project. This translates to the environment of Rocky-8-GenericCloud-Base-8.8-20230518.0.x86_64.qcow2 base image ran with install_build_machine.sh script and customized with cloud-init user data file user-data-ciqlts8_8.yml, with the compilation itself done with compile-kernel.sh, install-kernel.sh, set-default-kernel.sh scripts run in succession.
kABI check: passed
kABI ran with
For
/mnt/code/kernel-dist-gitrepo onel-8.8branch (3120f78031909f15cb48295d2de8d020fd9ec1d7)Boot test: passed
boot-test.log
Kselftests (partial): passed
Kselftests ran with
(This runs all selftests provided by
kernel-selftests-internalpackage as they would be ran byexcept
net:xfrm_policy.sh,net:ip_defrag.sh,net:gro.sh,net/mptcp:simult_flows.sh,vm:run_vmtests.sh. The baseline for these tests could not have been established as the results were indeterministic. To be done)Results:
kselftests-ciqlts8_8-CVE-2022-42896.summary.log
kselftests-ciqlts8_8-CVE-2022-42896.full.log
Reference results for the
ciqlts8_8(369d0f6e5) version:kselftests-ciqlts8_8.summary.log
kselftests-ciqlts8_8.full.log
Additional tests: to be added on request
A proof of concept is given in GHSA-pf87-6c9q-jvm4. It was not replicated.