CVE-2022-48947 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix u8 overflow

By keep sending L2CAP_CONF_REQ packets chan->num_conf_rsp increases multiple times and eventually it will wrap around the maximum number (i.e. 255). This patch prevents this by adding a boundary check with L2CAP_MAX_CONF_RSP

Btmon log: Bluetooth monitor ver 5.64 = Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 = Note: Bluetooth subsystem version 2.22 0.264636 @ MGMT Open: btmon (privileged) version 1.22 0x0001 0.272191 = New Index: 00:00:00:00:00:00 (PrimaryVirtualhci0) [hci0] 13.877604 @ RAW Open: 9496 (privileged) version 2.22 0x0002 13.890741 = Open Index: 00:00:00:00:00:00 [hci0] 13.900426 (…)

ACL Data RX: Handle 200 flags 0x00 dlen 1033 32 [hci0] 14.273106 invalid packet size (12 != 1033) 08 00 01 00 02 01 04 00 01 10 ff ff ………… ACL Data RX: Handle 200 flags 0x00 dlen 1547 33 [hci0] 14.273561 invalid packet size (14 != 1547) 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ……..@….. ACL Data RX: Handle 200 flags 0x00 dlen 2061 34 [hci0] 14.274390 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ……..@……. ACL Data RX: Handle 200 flags 0x00 dlen 2061 35 [hci0] 14.274932 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ……..@……. = bluetoothd: Bluetooth daemon 5.43 14.401828 ACL Data RX: Handle 200 flags 0x00 dlen 1033 36 [hci0] 14.275753 invalid packet size (12 != 1033) 08 00 01 00 04 01 04 00 40 00 00 00 ……..@…

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5

Share on: