From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 31 Oct 2022 23:10:52 +0000 (-0700)
Subject: Bluetooth: L2CAP: Fix attempting to access uninitialized memory
X-Git-Tag: archive/raspbian/6.0.8-1+rpi1^2^2~13
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22?a=commitdiff_plain;h=ed76dd6bab3ad3cb42438ad70b0e83b5f0204237;p=linux.git

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

Origin: https://git.kernel.org/linus/b1a2cd50c0357f243b7435a732b4e62ba3157a2e
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-42895

On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.

CVE: CVE-2022-42895
CC: stable@vger.kernel.org
Reported-by: Tamás Koczka <poprdi@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch
---

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index fbf68dd6da9..b8f2dcc2bd5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3764,7 +3764,8 @@ done:
 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
 					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
 
-			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
+			if (remote_efs &&
+			    test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
 				chan->remote_id = efs.id;
 				chan->remote_stype = efs.stype;
 				chan->remote_msdu = le16_to_cpu(efs.msdu);