Linux bluetooth development
 help / color / mirror / Atom feed
From: Dragos-Marian Panait <dragos.panait@windriver.com>
To: stable@vger.kernel.org
Cc: Ruihan Li <lrh2000@pku.edu.cn>,
	Marcel Holtmann <marcel@holtmann.org>,
	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	Paolo Abeni <pabeni@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 5.4 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
Date: Tue, 30 May 2023 15:47:15 +0300	[thread overview]
Message-ID: <20230530124715.248505-2-dragos.panait@windriver.com> (raw)
In-Reply-To: <20230530124715.248505-1-dragos.panait@windriver.com>

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 4f8f5204ae7a..45f6ce1f380e 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -973,6 +973,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


  reply	other threads:[~2023-05-30 12:48 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-30 12:47 [PATCH 5.4 0/1] Hardening against CVE-2023-2002 Dragos-Marian Panait
2023-05-30 12:47 ` Dragos-Marian Panait [this message]
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, " bluez.test.bot
  -- strict thread matches above, loose matches on Subject: below --
2023-05-30 12:42 [PATCH 5.10 0/1] " Dragos-Marian Panait
2023-05-30 12:42 ` [PATCH 5.10 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:39 [PATCH 5.15 0/1] " Dragos-Marian Panait
2023-05-30 12:39 ` [PATCH 5.15 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:26 [PATCH 6.1 0/1] " Dragos-Marian Panait
2023-05-30 12:26 ` [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:52   ` Greg KH
     [not found]     ` <PH0PR11MB495229C3DABA728EE5C8A19EFA489@PH0PR11MB4952.namprd11.prod.outlook.com>
2023-06-01  9:14       ` Greg KH
2023-05-30 12:55   ` Hardening against CVE-2023-2002 bluez.test.bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230530124715.248505-2-dragos.panait@windriver.com \
    --to=dragos.panait@windriver.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=johan.hedberg@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lrh2000@pku.edu.cn \
    --cc=luiz.von.dentz@intel.com \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox