[PATCH OLK-6.6 0/2] CVEs
CVEs Andrey Vatoropin (1): fbcon: check return value of con2fb_acquire_newinfo() Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ drivers/video/fbdev/core/fbcon.c | 3 ++- net/bluetooth/l2cap_core.c | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) -- 2.34.1
From: Andrey Vatoropin <a.vatoropin@crpt.ru> stable inclusion from stable-v6.6.128 commit a785c4e2a999c2d51dfcf40d317cfb30cc735d2c category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14670 CVE: CVE-2026-43123 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 011a0502801c8536f64141a2b61362c14f456544 ] If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d1baa4ffa677 ("fbcon: set_con2fb_map fixes") Cc: stable@vger.kernel.org Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Liu Kai <liukai284@huawei.com> --- drivers/video/fbdev/core/fbcon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 8b2c3065c0c2..d1ac4e45eea6 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1025,7 +1025,8 @@ static void fbcon_init(struct vc_data *vc, bool init) return; if (!info->fbcon_par) - con2fb_acquire_newinfo(vc, info, vc->vc_num); + if (con2fb_acquire_newinfo(vc, info, vc->vc_num)) + return; /* If we are not the first console on this fb, copy the font from that console */ -- 2.34.1
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> stable inclusion from stable-v6.6.128 commit 481ea39b342c347b6ac029f3d418486280be4e45 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14681 CVE: CVE-2026-43134 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 138d7eca445ef37a0333425d269ee59900ca1104 ] This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. Link: https://lore.kernel.org/linux-bluetooth/5782243.rdbgypaU67@n9w6sw14/ Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Christian Eggers <ceggers@arri.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Liu Kai <liukai284@huawei.com> --- net/bluetooth/l2cap_core.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 6d7e621fbcf5..be96edf3e4b8 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4864,6 +4864,13 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, goto response_unlock; } + /* Check if Key Size is sufficient for the security level */ + if (!l2cap_check_enc_key_size(conn->hcon, pchan)) { + result = L2CAP_CR_LE_BAD_KEY_SIZE; + chan = NULL; + goto response_unlock; + } + /* Check for valid dynamic CID range */ if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { result = L2CAP_CR_LE_INVALID_SCID; -- 2.34.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/22696 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/O46... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22696 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/O46...
participants (2)
-
Liu Kai -
patchwork bot