Skip to content

[LTS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 21, 2025

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Jan 9, 2025

CVE-2022-42896, VULN-210

Solution

The bug fix in the mainline is provided in two commits:

  • f937b758a188d6fd328a81367087eddbb2fce50f
  • 711f8c3fb3db61897080468586b970c87c61d9e4

Of these the 711f8c3 is already applied on ciqlts9_2.

(Same situation as in #41)

Build

Kernel built on Rocky 9 machine with

CVE=CVE-2022-42896 ./ninja.sh _compile_ciqlts9_2-CVE-2022-42896

from the https://gitlab.conclusive.pl/devices/rocky-patching project.

kABI check: passed

kABI ran on the build machine with

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts9_2-CVE-2022-42896/Module.symvers

for the /mnt/code/kernel-dist-git repo in the state of

On branch el-9.2
Your branch is up to date with 'origin/el-9.2'.

commit hash d55abe03912e1cf92944e3aaaefc89402923eda3.

Boot test: passed

Logs boot-test.log for the kernel booted with

CVE=CVE-2022-42896 ./ninja.sh _boot_kernel-ciqlts9_2-CVE-2022-42896

from within the rocky-patching project.

Kselftests: passed

Kselftests ran with

MACHINE=test-ciqlts9_2-CVE-2022-42896 CVE=CVE-2022-42896 ./ninja.sh kselftests

and prepared with

modprobe bluetooth

Results:

kselftests-patch–ciqlts9_2-CVE-2022-42896.zip
Flat text file form:
kselftests-patch–ciqlts9_2-CVE-2022-42896.log

Reference results of the tests ran on ciqlts9_2 (c566432b9c6923174f979ee0811749d1b4045d9f):

kselftests-reference–ciqlts9_2.zip
Flat text file form:
kselftests-reference–ciqlts9_2.log

Comparison:

comparison-patch-reference.csv

Summary: all test cases have the same results as the reference. Tests bpf:test_progs, bpf:test_progs-no_alu32, net:fib_tests.sh, net:rps_default_mask.sh, netfilter:conntrack_tcp_unreplied.sh, netfilter:nft_flowtable.sh, netfilter:nft_nat.sh, tc-testing:tdc.sh fail in both reference and patched kernel version. To be investigated on demand.

Additional tests: none

Following the guidelines from the precedent #41.

Copy link

@gvrose8192 gvrose8192 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Thanks.

Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat changed the title Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm [LTS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm Jan 15, 2025
jira VULN-209
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <[email protected]>
commit f937b75

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
	Reviewed-by: Tedd Ho-Jeong An <[email protected]>
(cherry picked from commit f937b75)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat pvts-mat force-pushed the ciqlts9_2-CVE-2022-42896 branch from 7232864 to ca581a4 Compare January 16, 2025 22:27
@PlaidCat PlaidCat merged commit f08be21 into ctrliq:ciqlts9_2 Jan 21, 2025
2 checks passed
github-actions bot pushed a commit that referenced this pull request Jun 5, 2025
JIRA: https://issues.redhat.com/browse/RHEL-73484

commit 71c6aa0
Author: Wen Gu <[email protected]>
Date:   Fri May 26 19:49:01 2023 +0800

    net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK

    We encountered a crash when using SMCRv2. It is caused by a logical
    error in smc_llc_fill_ext_v2().

     BUG: kernel NULL pointer dereference, address: 0000000000000014
     #PF: supervisor read access in kernel mode
     #PF: error_code(0x0000) - not-present page
     PGD 0 P4D 0
     Oops: 0000 [#1] PREEMPT SMP PTI
     CPU: 7 PID: 453 Comm: kworker/7:4 Kdump: loaded Tainted: G        W   E      6.4.0-rc3+ #44
     Workqueue: events smc_llc_add_link_work [smc]
     RIP: 0010:smc_llc_fill_ext_v2+0x117/0x280 [smc]
     RSP: 0018:ffffacb5c064bd88 EFLAGS: 00010282
     RAX: ffff9a6bc1c3c02c RBX: ffff9a6be3558000 RCX: 0000000000000000
     RDX: 0000000000000002 RSI: 0000000000000002 RDI: 000000000000000a
     RBP: ffffacb5c064bdb8 R08: 0000000000000040 R09: 000000000000000c
     R10: ffff9a6bc0910300 R11: 0000000000000002 R12: 0000000000000000
     R13: 0000000000000002 R14: ffff9a6bc1c3c02c R15: ffff9a6be3558250
     FS:  0000000000000000(0000) GS:ffff9a6eefdc0000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000000000000014 CR3: 000000010b078003 CR4: 00000000003706e0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      <TASK>
      smc_llc_send_add_link+0x1ae/0x2f0 [smc]
      smc_llc_srv_add_link+0x2c9/0x5a0 [smc]
      ? cc_mkenc+0x40/0x60
      smc_llc_add_link_work+0xb8/0x140 [smc]
      process_one_work+0x1e5/0x3f0
      worker_thread+0x4d/0x2f0
      ? __pfx_worker_thread+0x10/0x10
      kthread+0xe5/0x120
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x2c/0x50
      </TASK>

    When an alernate RNIC is available in system, SMC will try to add a new
    link based on the RNIC for resilience. All the RMBs in use will be mapped
    to the new link. Then the RMBs' MRs corresponding to the new link will be
    filled into SMCRv2 LLC ADD LINK messages.

    However, smc_llc_fill_ext_v2() mistakenly accesses to unused RMBs which
    haven't been mapped to the new link and have no valid MRs, thus causing
    a crash. So this patch fixes the logic.

    Fixes: b4ba465 ("net/smc: extend LLC layer for SMC-Rv2")
    Signed-off-by: Wen Gu <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>

Signed-off-by: Mete Durlu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants