Skip to content

[FIPS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 30, 2025
Merged

[FIPS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #95

merged 2 commits into from
Jan 30, 2025

Conversation

gvrose8192
Copy link

@gvrose8192 gvrose8192 commented Jan 29, 2025
edited by PlaidCat
Loading

jira VULN-211
cve CVE-2022-42896

Builds and Loads
build.log

`  CLEAN   include/config include/generated arch/x86/include/generated .config .config.old .version Module.symvers certs/signing_key.pem certs/signing_key.x509 certs/x509.genkey
[TIMER]{MRPROPER}: 19s
x86_64 architecture detected, copying config
'configs/kernel-5.14.0-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-gvrose_fips-9-compliant_5.14.0-284.30.1"
Making olddefconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/confdata.o
  HOSTCC  scripts/kconfig/expr.o
  LEX     scripts/kconfig/lexer.lex.c
  YACC    scripts/kconfig/parser.tab.[ch]
`
[SNIP]

`  INSTALL /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  STRIP   /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/sound/xen/snd_xen_front.ko
  INSTALL /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/virt/lib/irqbypass.ko
  STRIP   /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+
[TIMER]{MODULES}: 85s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 56s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 19s
[TIMER]{BUILD}: 3054s
[TIMER]{MODULES}: 85s
[TIMER]{INSTALL}: 56s
[TIMER]{TOTAL} 3240s
Rebooting in 10 seconds

[g.v.rose@rocky92-lts-base ~]$ uname -a
Linux rocky92-lts-base 5.14.0-gvrose_fips-9-compliant_5.14.0-284.30.1+ #1 SMP PREEMPT_DYNAMIC Wed Jan 29 08:19:21 PST 2025 x86_64 x86_64 x86_64 GNU/Linux

Kernel Selftests
No significant difference between the before and after kernel selftest log files - some flap in the raw_skew test but not related to our change so ignored.
kernel-selftests-before.log
kernel-selftests-after.log

Kernel Selftests with lockdep, kmemleak and stress
I ran the tests with additional kernel debugging and stressing the system - no panics or unexpected traces (the kernel selftests for locking always throw some traces).
kernel-selftests-ldp_stress_on.log

Similar to several other PRs in this line for CVE-2022-42896.

@gvrose8192
Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
1e96b3e 
jira VULN-211
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <[email protected]>
commit f937b75

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
	Reviewed-by: Tedd Ho-Jeong An <[email protected]>
(cherry picked from commit f937b75)
	Signed-off-by: Greg Rose <[email protected]>
PlaidCat
PlaidCat approved these changes Jan 29, 2025
edited
Loading
View reviewed changes
@PlaidCat PlaidCat self-requested a review January 29, 2025 21:31
@PlaidCat PlaidCat changed the title [LTS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm [FIPS 9.2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm Jan 29, 2025
@PlaidCat
Copy link
Collaborator

PlaidCat commented Jan 29, 2025
edited
Loading

Actually I take back the :shipit:

Could you pull this change in but also change it from pull_request_target -> pull_request, which technically needs fixed in 9.2 as well it seems
92a2ad4

@gvrose8192
Copy link
Author

Actually I take back the :shipit:

Could you pull this change in but also change it from pull_request_target -> pull_request, which technically needs fixed in 9.2 as well it seems 92a2ad4

I can do that!

@gvrose8192
Copy link
Author

Actually I take back the :shipit:
Could you pull this change in but also change it from pull_request_target -> pull_request, which technically needs fixed in 9.2 as well it seems 92a2ad4

I can do that!

Done!

@gvrose8192
Copy link
Author

Actually I take back the :shipit:
Could you pull this change in but also change it from pull_request_target -> pull_request, which technically needs fixed in 9.2 as well it seems 92a2ad4

I can do that!

Done!

Uh, wait... I did not do the pull_request_target -> pull_request change. Let me fix that up.

@PlaidCat @gvrose8192
github actions: Make Builds on Merge Request Work
61eb857 
Since we need to make sure external contributors code actually compiles
prior to merging. To get access to the forked repos merge request we
need to switch over our push/pull_request to pull_request_target.  In
addition we're fixing up some Naming Conventions, adding aarch64 to this
branch and fixing the naming so that we can quickly identify if the CI
is for x86_64 or aarch64.

Removes pull request checker it is being rewritten and doesn't work as
intented for fork merges.
@gvrose8192 gvrose8192 force-pushed the gvrose_fips-9-compliant_5.14.0-284.30.1 branch from a8f1a4d to 61eb857 Compare January 29, 2025 22:40
@gvrose8192
Copy link
Author

Actually I take back the :shipit:
Could you pull this change in but also change it from pull_request_target -> pull_request, which technically needs fixed in 9.2 as well it seems 92a2ad4

I can do that!

Done!

Uh, wait... I did not do the pull_request_target -> pull_request change. Let me fix that up.

OK, now.

PlaidCat
PlaidCat approved these changes Jan 30, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@gvrose8192 gvrose8192 merged commit 8791d08 into fips-9-compliant/5.14.0-284.30.1 Jan 30, 2025
3 checks passed
@gvrose8192 gvrose8192 deleted the gvrose_fips-9-compliant_5.14.0-284.30.1 branch January 30, 2025 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gvrose8192 @PlaidCat @bmastbergen