From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 7 Nov 2022 08:59:20 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.333~67
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7c1b1d46fbc83c2d7e99bbe6c53a25876e30433;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch
---

diff --git a/queue-4.9/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch b/queue-4.9/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch
new file mode 100644
index 00000000000..864e3db8ac2
--- /dev/null
+++ b/queue-4.9/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch
@@ -0,0 +1,37 @@
+From b1a2cd50c0357f243b7435a732b4e62ba3157a2e Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 31 Oct 2022 16:10:52 -0700
+Subject: Bluetooth: L2CAP: Fix attempting to access uninitialized memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream.
+
+On l2cap_parse_conf_req the variable efs is only initialized if
+remote_efs has been set.
+
+CVE: CVE-2022-42895
+CC: stable@vger.kernel.org
+Reported-by: Tamás Koczka <poprdi@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3541,7 +3541,8 @@ done:
+ 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+ 					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+ 
+-			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
++			if (remote_efs &&
++			    test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
+ 				chan->remote_id = efs.id;
+ 				chan->remote_stype = efs.stype;
+ 				chan->remote_msdu = le16_to_cpu(efs.msdu);
diff --git a/queue-4.9/series b/queue-4.9/series
index ce1210dc2fa..0e048862291 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -17,3 +17,4 @@ net-mdio-fix-undefined-behavior-in-bit-shift-for-__m.patch
 media-s5p_cec-limit-msg.len-to-cec_max_msg_size.patch
 media-dvb-frontends-drxk-initialize-err-to-0.patch
 i2c-xiic-add-platform-module-alias.patch
+bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch