[LTS 8.6] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #78
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gvrose8192
approved these changes
Jan 17, 2025
There was a problem hiding this comment.
Looks similar to the previous fix in this series for CVE-2022-42896 - Thanks!
Right, this CVE became basically an exercise in Rocky testing, which turned out to be much more involved than one could have thought. I'm experimenting with different approaches and trying to find a way to automate it, manual logs diffing is just horrible, not to even mention the indeterministic results... |
jira VULN-204 cve CVE-2022-42896 commit-author Luiz Augusto von Dentz <[email protected]> commit f937b75 l2cap_global_chan_by_psm shall not return fixed channels as they are not meant to be connected by (S)PSM. Signed-off-by: Luiz Augusto von Dentz <[email protected]> Reviewed-by: Tedd Ho-Jeong An <[email protected]> (cherry picked from commit f937b75) Signed-off-by: Marcin Wcisło <[email protected]>
pvts-mat
force-pushed
the
ciqlts8_6-CVE-2022-42896
branch
from
91cb5aa to
89fc648
Compare
github-actions bot
pushed a commit
that referenced
this pull request
Jul 18, 2025
The conversion from compiler assisted indexing to manual indexing wasn't done correctly. The array is still made up of __le16 elements so multiplying the outer index by the element size is not what we want. Fix it up. This causes the kernel to oops when trying to transfer any significant amount of data over wifi: BUG: unable to handle page fault for address: ffffc900009f5282 PGD 100000067 P4D 100000067 PUD 1000fb067 PMD 102e82067 PTE 0 Oops: Oops: 0002 [#1] SMP CPU: 1 UID: 0 PID: 99 Comm: kworker/u8:3 Not tainted 6.15.0-rc2-cl-bisect3-00604-g6204d5130a64-dirty #78 PREEMPT Hardware name: Dell Inc. Latitude E5400 /0D695C, BIOS A19 06/13/2013 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] RIP: 0010:iwl_trans_pcie_tx+0x4dd/0xe60 [iwlwifi] Code: 00 00 66 81 fa ff 0f 0f 87 42 09 00 00 3d ff 00 00 00 0f 8f 37 09 00 00 41 c1 e0 0c 41 09 d0 48 8d 14 b6 48 c1 e2 07 48 01 ca <66> 44 89 04 57 48 8d 0c 12 83 f8 3f 0f 8e 84 01 00 00 41 8b 85 80 RSP: 0018:ffffc900001c3b50 EFLAGS: 00010206 RAX: 00000000000000c1 RBX: ffff88810b180028 RCX: 00000000000000c1 RDX: 0000000000002141 RSI: 000000000000000d RDI: ffffc900009f1000 RBP: 0000000000000002 R08: 0000000000000025 R09: ffffffffa050fa60 R10: 00000000fbdbf4bc R11: 0000000000000082 R12: ffff88810e5ade40 R13: ffff88810af81588 R14: 000000000000001a R15: ffff888100dfe0c8 FS: 0000000000000000(0000) GS:ffff8881998c3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc900009f5282 CR3: 0000000001e39000 CR4: 00000000000426f0 Call Trace: <TASK> ? rcu_is_watching+0xd/0x40 ? __iwl_dbg+0xb1/0xe0 [iwlwifi] iwlagn_tx_skb+0x8e2/0xcb0 [iwldvm] iwlagn_mac_tx+0x18/0x30 [iwldvm] ieee80211_handle_wake_tx_queue+0x6c/0xc0 [mac80211] ieee80211_agg_start_txq+0x140/0x2e0 [mac80211] ieee80211_agg_tx_operational+0x126/0x210 [mac80211] ieee80211_process_addba_resp+0x27b/0x2a0 [mac80211] ieee80211_iface_work+0x4bd/0x4d0 [mac80211] ? _raw_spin_unlock_irq+0x1f/0x40 cfg80211_wiphy_work+0x117/0x1f0 [cfg80211] process_one_work+0x1ee/0x570 worker_thread+0x1c5/0x3b0 ? bh_worker+0x240/0x240 kthread+0x110/0x220 ? kthread_queue_delayed_work+0x90/0x90 ret_from_fork+0x28/0x40 ? kthread_queue_delayed_work+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: ctr aes_generic ccm sch_fq_codel bnep xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables btusb btrtl btintel btbcm bluetooth ecdh_generic ecc libaes hid_generic usbhid hid binfmt_misc joydev mousedev snd_hda_codec_hdmi iwldvm snd_hda_codec_idt snd_hda_codec_generic mac80211 coretemp iTCO_wdt watchdog kvm_intel i2c_dev snd_hda_intel libarc4 kvm snd_intel_dspcfg sdhci_pci sdhci_uhs2 snd_hda_codec iwlwifi sdhci irqbypass cqhci snd_hwdep snd_hda_core cfg80211 firewire_ohci mmc_core psmouse snd_pcm i2c_i801 firewire_core pcspkr led_class uhci_hcd i2c_smbus tg3 crc_itu_t iosf_mbi snd_timer rfkill libphy ehci_pci snd ehci_hcd lpc_ich mfd_core usbcore video intel_agp usb_common soundcore intel_gtt evdev agpgart parport_pc wmi parport backlight CR2: ffffc900009f5282 ---[ end trace 0000000000000000 ]--- RIP: 0010:iwl_trans_pcie_tx+0x4dd/0xe60 [iwlwifi] Code: 00 00 66 81 fa ff 0f 0f 87 42 09 00 00 3d ff 00 00 00 0f 8f 37 09 00 00 41 c1 e0 0c 41 09 d0 48 8d 14 b6 48 c1 e2 07 48 01 ca <66> 44 89 04 57 48 8d 0c 12 83 f8 3f 0f 8e 84 01 00 00 41 8b 85 80 RSP: 0018:ffffc900001c3b50 EFLAGS: 00010206 RAX: 00000000000000c1 RBX: ffff88810b180028 RCX: 00000000000000c1 RDX: 0000000000002141 RSI: 000000000000000d RDI: ffffc900009f1000 RBP: 0000000000000002 R08: 0000000000000025 R09: ffffffffa050fa60 R10: 00000000fbdbf4bc R11: 0000000000000082 R12: ffff88810e5ade40 R13: ffff88810af81588 R14: 000000000000001a R15: ffff888100dfe0c8 FS: 0000000000000000(0000) GS:ffff8881998c3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc900009f5282 CR3: 0000000001e39000 CR4: 00000000000426f0 Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: disabled ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Cc: Miri Korenblit <[email protected]> Fixes: 6204d51 ("wifi: iwlwifi: use bc entries instead of bc table also for pre-ax210") Signed-off-by: Ville Syrjälä <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Miri Korenblit <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2022-42896
VULN-204
Solution
The bug fix in the mainline is provided1 in two commits:
f937b758a188d6fd328a81367087eddbb2fce50f711f8c3fb3db61897080468586b970c87c61d9e4Of these the
711f8c3is already applied onciqlts8_6(commit8b3cab2c7776120fdd10fc27fb983f706b32808a).(Same situation as in #41)
Build
Kernel built on virtual machine instantiated on physical Rocky 9 machine with
from the https://gitlab.conclusive.pl/devices/rocky-patching project. Installed on a testing machine created with
Logs: build.log
kABI check: passed
kABI check ran on the build machine with
for the
/mnt/code/kernel-dist-gitrepo in the state ofcommit hash
9cb8f01815976c24b697b25ddc56b4695747de9b.Boot test: passed
boot-test.log
Kselftests: passed relative
Kselftests were split into two parts:
kernel-selftests-internalpackage (for ease of use and stability of the tests) andThe set of tests covered by each method do not overlap. The chosen policy was "if a test exists in
kernel-selftests-internalthen use this implementation, otherwise use source-compiled one". This should provide best possible tests stability and coverage.Packaged tests
Tests set covered
bpflivepatchnetnet/forwardingnet/mptcpnetfiltertc-testingPackgae
The package is not available in repositories for Rocky 8.6 and before the latest commit
6c475c05370eb88e87cfe3df4463ef461483e908successful rpm build was impossible due to a bug in clang. The rpm package was custom built usingkernel-dist-gitproject (9cb8f01815976c24b697b25ddc56b4695747de9b) with kernel source fromciqlts8_6(6c475c05370eb88e87cfe3df4463ef461483e908) and made available at https://gitlab.conclusive.pl/devices/rocky-patching/-/blob/master/kernel-selftests-internal-4.18.0-372.32.1.el8.0.7.x86_64.rpm?ref_type=headsTests results
Patched kernel
kselftests–rpm–ciqlts8_6-CVE-2022-42896.zip
Flat text file form:
kselftests–rpm–ciqlts8_6-CVE-2022-42896.log
Reference kernel
6c475c05370eb88e87cfe3df4463ef461483e908kselftests–rpm–ciqlts8_6.zip
Flat text file form:
kselftests–rpm–ciqlts8_6.log
Summary
The patched and reference tests results are identical
Source-compiled tests
Tests set covered
androidbreakpointscapabilitiescorecpu-hotplugcpufreqefivarfsexecfilesystemsfirmwarefpufutexintel_pstateipckcmpkvmlibmembarriermemory-hotplugmountnsfsprocpstoreptracertcsgxsigaltstacksizesplicestatic_keyssyncsysctltimenstimerstpm2uservmx86zramTests results
Patched kernel
kselftests–kernel-src–ciqlts8_6-CVE-2022-42896.log
Reference kernel
6c475c05370eb88e87cfe3df4463ef461483e908kselftests–kernel-src–ciqlts8_6.log
Summary
The only status difference between patch and reference is for the
ipc:msgquetest. This test was found to be "flappy" (along withnetfilter:nft_flowtable.shandnet:xfrm_policy.sh) in the course of 4 different runs on the same reference kernel. See column https://docs.google.com/spreadsheets/d/1tUwJ2rV57cYZXh7momPtraSjZcHDjMYHLeHA3DYWrUU/edit?gid=0#gid=0&range=C:C for the summary of tests behavior for Rocky 8.6 found so far.Additional tests: none
Following the guidelines from the precedent #41.
Footnotes
1 GHSA-pf87-6c9q-jvm4