Recent commits have CVE-2022-2741 fixed.

Also backported CVE-2022-2993 fix.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
...ix-SMP-local-keys-check-when-startin.patch | 51 +++++++++++++++++++
.../zephyr-kernel/zephyr-kernel-src-3.1.0.inc | 3 +-
2 files changed, 53 insertions(+), 1 deletion(-)
create mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-3.1-Bluetooth-host-Fix-SMP-local-keys-check-when-startin.patch

diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-3.1-Bluetooth-host-Fix-SMP-local-keys-check-when-startin.patch b/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-3.1-Bluetooth-host-Fix-SMP-local-keys-check-when-startin.patch
new file mode 100644
index 0000000..68650c3
--- /dev/null
+++ b/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-3.1-Bluetooth-host-Fix-SMP-local-keys-check-when-startin.patch
@@ -0,0 +1,51 @@
+From 74d26b70f080a5dc60c6a1aa2bfec38043ee30d4 Mon Sep 17 00:00:00 2001
+From: Joakim Andersson <joakim.andersson@...>
+Date: Fri, 5 Aug 2022 10:50:47 +0200
+Subject: [PATCH] Bluetooth: host: Fix SMP local keys check when starting
+ encryption
+
+Fix SMP check of existing local keys when attempting to start security
+with required security mode 1 level 4. The logic for checking the
+conditions was wrong, leading to a situation where encryption would be
+attempted to be started by the central instead of initiating a new
+pairing procedure. This would fail when the connection was encrypted and
+the connection would be disconnected.
+
+Upstream-Status: Backport [https://github.com/zephyrproject-rtos/zephyr/commit/83d5402fe830973f943bde085d80f0d3643e811a]
+https://github.com/zephyrproject-rtos/zephyr/pull/52947/files
+CVE: CVE-2022-2993
+
+Signed-off-by: Joakim Andersson <joakim.andersson@...>
+Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
+---
+ subsys/bluetooth/host/smp.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/subsys/bluetooth/host/smp.c b/subsys/bluetooth/host/smp.c
+index 02a847f97d..555f09fefd 100644
+--- a/subsys/bluetooth/host/smp.c
++++ b/subsys/bluetooth/host/smp.c
+@@ -357,15 +357,15 @@ static bool smp_keys_check(struct bt_conn *conn)
+ return false;
+ }
+
+- if (conn->required_sec_level > BT_SECURITY_L2 &&
++ if (conn->required_sec_level >= BT_SECURITY_L3 &&
+ !(conn->le.keys->flags & BT_KEYS_AUTHENTICATED)) {
+ return false;
+ }
+
+- if (conn->required_sec_level > BT_SECURITY_L3 &&
+- !(conn->le.keys->flags & BT_KEYS_AUTHENTICATED) &&
+- !(conn->le.keys->keys & BT_KEYS_LTK_P256) &&
+- !(conn->le.keys->enc_size == BT_SMP_MAX_ENC_KEY_SIZE)) {
++ if (conn->required_sec_level >= BT_SECURITY_L4 &&
++ !((conn->le.keys->flags & BT_KEYS_AUTHENTICATED) &&
++ (conn->le.keys->keys & BT_KEYS_LTK_P256) &&
++ (conn->le.keys->enc_size == BT_SMP_MAX_ENC_KEY_SIZE))) {
+ return false;
+ }
+
+--
+2.25.1
+
diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.1.0.inc b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.1.0.inc
index 68016e4..b3feb6a 100644
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.1.0.inc
+++ b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.1.0.inc
@@ -2,7 +2,7 @@

SRCREV_FORMAT = "default"

-SRCREV_default = "2ddd73feafd3316af2c547c34d6969bea637d5c6"
+SRCREV_default = "a7d946331f4f9361d1531984524dd8f151ae20b0"
SRCREV_canopennode = "53d3415c14d60f8f4bfca54bfbc5d5a667d7e724"
SRCREV_chre = "0edfe2c2ec656afb910cfab8ed59a5ffd59b87c8"
SRCREV_civetweb = "094aeb41bb93e9199d24d665ee43e9e05d6d7b1c"
@@ -109,6 +109,7 @@ SRC_URI_ZSCILIB ?= "git://github.com/zephyrproject-rtos/zscilib;protocol=https"
SRC_URI_PATCHES ?= "\
file://0001-3.1-cmake-add-yocto-toolchain.patch;patchdir=zephyr \
file://0001-3.1-x86-fix-efi-binary-generation-issue-in-cross-compila.patch;patchdir=zephyr \
+ file://0001-3.1-Bluetooth-host-Fix-SMP-local-keys-check-when-startin.patch;patchdir=zephyr \
"

SRC_URI = "\
--
2.25.1