{bnep,cmtp}_add_connection() should verify that it's dealing with l2cap socket in kernel-bluetooth CVE-2017-15868
Tracked by Jolla
(Rejected)
asked 2018-03-06 09:15:28 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
The bnep_add_connection function and cmtp_add_connection function in net/bluetooth/bnep/core.c , net/bluetooth/cmtp/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application. Score: 7.8 high local
Upstream Patches |1| |2| are available and equal to kernel-3.2 backports |1| |2|.
Files affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/bluetooth/bnep/core.c lines 565-569
kernel-adaptation-sbj-3.4.108.20161101.1/net/bluetooth/cmtp/core.c 335-340
So the Patch should look like:
bnep:
@@ -560,6 +560,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
baswap((void *) dst, &bt_sk(sock->sk)->dst);
baswap((void *) src, &bt_sk(sock->sk)->src);
cmtp:
@@ -334,6 +334,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
if (!session)
return -ENOMEM;