Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
kernel: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
A flaw was found in the Linux kernel's Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) implementation. A remote Bluetooth Low Energy (BLE) device can exploit this by sending a specially crafted L2CAP ECRED reconfiguration response. This can lead to the corruption of the channel list, potentially causing a Denial of Service (DoS) by making the system unstable or unresponsive. The vulnerability is due to a missing channel lock when a channel is deleted.