Bug 576433

Summary: kernel: bluetooth: Fix kernel crash on L2CAP stress tests
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, davej, kmcmartin, lgoncalv, lwang, pmatouse, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:38:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 576434    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-03-24 02:11:04 UTC 
Description of problem:
Added very simple check that req buffer has enough space to fit configuration parameters. Shall be enough to reject packets with configuration size more than req buffer.

Crash trace below
    
    [ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
    [ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
    ...
    [ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
    [ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
    ...
    [ 6070.030303] Backtrace:
    [ 6070.032806] [<bf1c2880>] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
    [<bf1c6624>] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
    [ 6070.043823]  r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
    [ 6070.050659] [<bf1c52d4>] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
    [<bf1c8408>] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
    [ 6070.061798] [<bf1c814c>] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
    [<bf0037a4>] (hci_rx_task+0x244/0x478 [bluetooth])
    [ 6070.072631]  r6:dc647700 r5:00000001 r4:df2ab740
    [ 6070.077362] [<bf003560>] (hci_rx_task+0x0/0x478 [bluetooth]) from
    [<c006b9fc>] (tasklet_action+0x78/0xd8)
    [ 6070.087005] [<c006b984>] (tasklet_action+0x0/0xd8) from [<c006c160>]

Upstream commit:
http://git.kernel.org/linus/c2c77ec83bdad17fb688557b5b3fdc36661dd1c6

This was introduced in f2fcfcd670257236ebf2088bbdf26f6a8ef459fe (Bluetooth: Add configuration support for ERTM and Streaming mode) in v2.6.32-rc1.
Comment 1 Eugene Teo (Security Response) 2010-03-24 02:12:54 UTC 
This security issue did not affect the Linux kernels as shipped with Red Hat
Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG as they did not include upstream commit f2fcfcd6 that introduced the problem.