Bug 2150999 (CVE-2022-3564)

Summary: CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, arachman, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, lgoncalv, lleshchi, lveyde, lzampier, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rhandlin, rogbas, rvrbovsk, scweaver, tyberry, vkumar, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151000, 2152920, 2152921, 2152922, 2152923, 2152924, 2152925, 2152926, 2152927, 2152928, 2152929, 2152931, 2152932, 2152933, 2152934, 2152935, 2152936, 2152937, 2152938, 2152939, 2152940, 2152941, 2152942, 2152943, 2152944, 2153000, 2153001, 2153002, 2153003, 2153004, 2153005, 2153006, 2153007, 2160012, 2165310, 2210946    
Bug Blocks: 2150891    

Description Guilherme de Almeida Suckevicz 2022-12-05 19:53:24 UTC 
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.

Reference:
https://vuldb.com/?id.211087

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=89f9f3cb86b1c63badaf392a83dd661d56cc50b1
Comment 1 Guilherme de Almeida Suckevicz 2022-12-05 19:53:46 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2151000]
Comment 2 Justin M. Forbes 2022-12-08 15:53:33 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 15 errata-xmlrpc 2023-02-21 10:02:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0856 https://access.redhat.com/errata/RHSA-2023:0856
Comment 16 errata-xmlrpc 2023-02-21 10:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0858 https://access.redhat.com/errata/RHSA-2023:0858
Comment 17 errata-xmlrpc 2023-02-28 08:18:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0951 https://access.redhat.com/errata/RHSA-2023:0951
Comment 18 errata-xmlrpc 2023-02-28 09:51:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0979 https://access.redhat.com/errata/RHSA-2023:0979
Comment 19 errata-xmlrpc 2023-02-28 11:42:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1008 https://access.redhat.com/errata/RHSA-2023:1008
Comment 20 errata-xmlrpc 2023-03-14 13:53:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202
Comment 21 errata-xmlrpc 2023-03-14 13:54:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203
Comment 22 errata-xmlrpc 2023-03-14 13:58:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1220 https://access.redhat.com/errata/RHSA-2023:1220
Comment 23 errata-xmlrpc 2023-03-14 13:58:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1221 https://access.redhat.com/errata/RHSA-2023:1221
Comment 24 errata-xmlrpc 2023-03-15 09:49:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1251 https://access.redhat.com/errata/RHSA-2023:1251
Comment 25 errata-xmlrpc 2023-03-23 09:03:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435
Comment 28 errata-xmlrpc 2023-04-04 06:54:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1560 https://access.redhat.com/errata/RHSA-2023:1560
Comment 29 errata-xmlrpc 2023-04-04 06:55:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1559 https://access.redhat.com/errata/RHSA-2023:1559
Comment 30 errata-xmlrpc 2023-04-05 16:16:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:1666 https://access.redhat.com/errata/RHSA-2023:1666
Comment 31 errata-xmlrpc 2023-05-16 08:05:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736
Comment 32 errata-xmlrpc 2023-05-16 08:34:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951
Comment 33 errata-xmlrpc 2023-05-23 14:00:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:3277 https://access.redhat.com/errata/RHSA-2023:3277
Comment 34 errata-xmlrpc 2023-05-23 14:00:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2023:3278 https://access.redhat.com/errata/RHSA-2023:3278
Comment 35 errata-xmlrpc 2023-05-31 15:50:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3388 https://access.redhat.com/errata/RHSA-2023:3388
Comment 36 errata-xmlrpc 2023-06-05 08:14:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3431 https://access.redhat.com/errata/RHSA-2023:3431
Comment 37 errata-xmlrpc 2023-06-06 14:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491
Comment 41 errata-xmlrpc 2023-07-11 07:47:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:4020 https://access.redhat.com/errata/RHSA-2023:4020
Comment 42 errata-xmlrpc 2023-07-11 07:50:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:4021 https://access.redhat.com/errata/RHSA-2023:4021
Comment 43 errata-xmlrpc 2023-07-18 08:25:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4150 https://access.redhat.com/errata/RHSA-2023:4150
Comment 44 errata-xmlrpc 2023-07-18 08:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4151 https://access.redhat.com/errata/RHSA-2023:4151
Comment 45 errata-xmlrpc 2023-07-19 17:26:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4215 https://access.redhat.com/errata/RHSA-2023:4215