Bug 2147364 (CVE-2022-42896)

Summary: CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, ddepaula, debarbos, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, lgoncalv, lzampier, mcascell, nmurray, ptalbert, qzhao, rhandlin, rvrbovsk, scweaver, tyberry, vkumar, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.1-rc4 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_connect and l2cap_le_connect_req functions. An attacker with physical access within the range of standard Bluetooth transmission could execute code leaking kernel memory via Bluetooth if within proximity of the victim.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2148401, 2148402, 2148403, 2148404, 2148405, 2176640, 2176641, 2176643, 2176644, 2176645, 2176646, 2176647, 2176648, 2176649, 2176650, 2176651, 2176653, 2176654, 2176655, 2176656, 2176657, 2176659, 2176660, 2176661, 2176662, 2176663, 2176664, 2176665, 2176666, 2176667, 2176668, 2176669, 2176671, 2176672, 2176673, 2176674, 2176675, 2176676, 2176677, 2176678, 2176679, 2213242, 2213243, 2213244    
Bug Blocks: 2142956    

Description Pedro Sampaio 2022-11-23 19:24:35 UTC 
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.

References:

https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4
https://github.com/torvalds/linux/commit/f937b758a188d6fd328a81367087eddbb2fce50f
Comment 1 Mauro Matteo Cascella 2022-11-25 11:14:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2148401]
Comment 3 Justin M. Forbes 2022-11-30 21:16:15 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 16 errata-xmlrpc 2023-05-09 07:12:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
Comment 17 errata-xmlrpc 2023-05-09 07:50:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
Comment 18 errata-xmlrpc 2023-06-06 08:46:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:3462 https://access.redhat.com/errata/RHSA-2023:3462
Comment 19 errata-xmlrpc 2023-06-06 08:49:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:3461 https://access.redhat.com/errata/RHSA-2023:3461
Comment 20 errata-xmlrpc 2023-06-06 16:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:3517 https://access.redhat.com/errata/RHSA-2023:3517
Comment 23 errata-xmlrpc 2023-07-18 08:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4137 https://access.redhat.com/errata/RHSA-2023:4137
Comment 24 errata-xmlrpc 2023-07-18 08:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4138 https://access.redhat.com/errata/RHSA-2023:4138
Comment 25 errata-xmlrpc 2023-07-20 07:32:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4230 https://access.redhat.com/errata/RHSA-2023:4230
Comment 26 errata-xmlrpc 2023-08-08 07:54:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4541 https://access.redhat.com/errata/RHSA-2023:4541
Comment 27 errata-xmlrpc 2023-08-08 08:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4517 https://access.redhat.com/errata/RHSA-2023:4517
Comment 28 errata-xmlrpc 2023-08-08 08:19:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4531 https://access.redhat.com/errata/RHSA-2023:4531
Comment 29 errata-xmlrpc 2023-08-29 08:43:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4789 https://access.redhat.com/errata/RHSA-2023:4789
Comment 30 errata-xmlrpc 2023-08-30 22:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4888 https://access.redhat.com/errata/RHSA-2023:4888
Comment 32 errata-xmlrpc 2023-10-10 10:21:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:5580 https://access.redhat.com/errata/RHSA-2023:5580
Comment 33 errata-xmlrpc 2023-10-10 14:07:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5588 https://access.redhat.com/errata/RHSA-2023:5588
Comment 34 errata-xmlrpc 2023-10-10 14:12:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5589 https://access.redhat.com/errata/RHSA-2023:5589
Comment 36 errata-xmlrpc 2024-02-26 09:38:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2024:0980 https://access.redhat.com/errata/RHSA-2024:0980
Comment 37 errata-xmlrpc 2024-03-12 00:47:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249
Comment 38 errata-xmlrpc 2024-03-13 22:50:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1323 https://access.redhat.com/errata/RHSA-2024:1323
Comment 39 errata-xmlrpc 2024-03-14 14:51:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332
Comment 40 errata-xmlrpc 2024-04-10 08:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:1746 https://access.redhat.com/errata/RHSA-2024:1746