Bug 1180460 – VUL-1: CVE-2020-35499: kernel-source: bluetooth crash when using BT_SNDMTU/BT_RCVMTU option

Bug 1180460 - (CVE-2020-35499) VUL-1: CVE-2020-35499: kernel-source: bluetooth crash when using BT_SNDMTU/BT_RCVMTU option

(CVE-2020-35499)
Summary:	VUL-1: CVE-2020-35499: kernel-source: bluetooth crash when using BT_SNDMTU/BT...

Status:	RESOLVED UPSTREAM

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/274267/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-35499:6.2:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-12-30 17:48 UTC by Wolfgang Frisch
Modified:	2021-02-02 12:44 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Wolfgang Frisch 2020-12-30 17:50:48 UTC

Upstream fix: commit f6b8c6b55439 ("Bluetooth: sco: Fix crash when using
BT_SNDMTU/BT_RCVMTU option")

Comment 2 Wolfgang Frisch 2020-12-30 17:54:39 UTC

It is unknown whether this can be actually triggered via Bluetooth. The PoC only crashes itself, with no apparent impact on kernel functionality. If it turns out this is indeed the case, we can file a dispute for the CVE.

Comment 3 Al Cho 2021-01-07 09:42:11 UTC

(In reply to Wolfgang Frisch from comment #2)
> It is unknown whether this can be actually triggered via Bluetooth. The PoC
> only crashes itself, with no apparent impact on kernel functionality. If it
> turns out this is indeed the case, we can file a dispute for the CVE.

> Upstream fix: commit f6b8c6b55439 ("Bluetooth: sco: Fix crash when using
BT_SNDMTU/BT_RCVMTU option")

This patch apply on v5.11-rc1

and fixing is based on 0fc1a726f897 Bluetooth: sco: new getsockopt options BT_SNDMTU/BT_RCVMTU (v5.10-rc1)

master: has it
stable: affected
15sp2: not affected
cve/linux-4.12: not affected
cve/linux-4.4: not affected
cve/linux-3.0: not affected
cve/linux-2.6.32: not affected

Comment 4 Marcus Meissner 2021-02-02 07:09:49 UTC

is public

Comment 5 Al Cho 2021-02-02 09:11:40 UTC

(In reply to Al Cho from comment #3)
> (In reply to Wolfgang Frisch from comment #2)
> > It is unknown whether this can be actually triggered via Bluetooth. The PoC
> > only crashes itself, with no apparent impact on kernel functionality. If it
> > turns out this is indeed the case, we can file a dispute for the CVE.
> 
> > Upstream fix: commit f6b8c6b55439 ("Bluetooth: sco: Fix crash when using
> BT_SNDMTU/BT_RCVMTU option")
> 
> This patch apply on v5.11-rc1
> 
> and fixing is based on 0fc1a726f897 Bluetooth: sco: new getsockopt options
> BT_SNDMTU/BT_RCVMTU (v5.10-rc1)
> 
> master: has it
> stable: affected

already fixed/patched by
84f94bc8377d8ec8a7cc2b8b48c5b5a301b52364 at Wed Dec 30 13:26:17 2020

patches.kernel.org/5.10.4-337-Bluetooth-sco-Fix-crash-when-using-BT_SNDMTU-B.patch
 - Bluetooth: sco: Fix crash when using BT_SNDMTU/BT_RCVMTU option
      (bsc#1012628).


> 15sp2: not affected
> cve/linux-4.12: not affected
> cve/linux-4.4: not affected
> cve/linux-3.0: not affected
> cve/linux-2.6.32: not affected

Comment 6 Marcus Meissner 2021-02-02 12:44:43 UTC

-> fixed upstream