* [PATCH] bluetooth: Perform careful capability checks in hci_sock_ioctl()
@ 2023-04-16 8:14 Ruihan Li
2023-04-16 9:01 ` bluez.test.bot
2023-04-17 18:30 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Ruihan Li @ 2023-04-16 8:14 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li,
stable
Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.
However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.
This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.
Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_sock.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 065812232..f597fe0db 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1003,7 +1003,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
if (hci_sock_gen_cookie(sk)) {
struct sk_buff *skb;
- if (capable(CAP_NET_ADMIN))
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
+ * flag. Make sure that not only the current task but also
+ * the socket opener has the required capability, since
+ * privileged programs can be tricked into making ioctl calls
+ * on HCI sockets, and the socket should not be marked as
+ * trusted simply because the ioctl caller is privileged.
+ */
+ if (sk_capable(sk, CAP_NET_ADMIN))
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
/* Send event to monitor */
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: bluetooth: Perform careful capability checks in hci_sock_ioctl()
2023-04-16 8:14 [PATCH] bluetooth: Perform careful capability checks in hci_sock_ioctl() Ruihan Li
@ 2023-04-16 9:01 ` bluez.test.bot
2023-04-17 18:30 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2023-04-16 9:01 UTC (permalink / raw)
To: linux-bluetooth, lrh2000
[-- Attachment #1: Type: text/plain, Size: 1598 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=740182
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.24 seconds
SubjectPrefix FAIL 0.48 seconds
BuildKernel PASS 40.50 seconds
CheckAllWarning PASS 44.13 seconds
CheckSparse PASS 49.42 seconds
CheckSmatch PASS 134.01 seconds
BuildKernel32 PASS 39.14 seconds
TestRunnerSetup PASS 559.05 seconds
TestRunner_l2cap-tester PASS 19.48 seconds
TestRunner_iso-tester PASS 25.39 seconds
TestRunner_bnep-tester PASS 6.68 seconds
TestRunner_mgmt-tester PASS 136.10 seconds
TestRunner_rfcomm-tester PASS 10.90 seconds
TestRunner_sco-tester PASS 10.13 seconds
TestRunner_ioctl-tester PASS 11.56 seconds
TestRunner_mesh-tester PASS 8.62 seconds
TestRunner_smp-tester PASS 9.85 seconds
TestRunner_userchan-tester PASS 7.30 seconds
IncrementalBuild PASS 36.44 seconds
Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] bluetooth: Perform careful capability checks in hci_sock_ioctl()
2023-04-16 8:14 [PATCH] bluetooth: Perform careful capability checks in hci_sock_ioctl() Ruihan Li
2023-04-16 9:01 ` bluez.test.bot
@ 2023-04-17 18:30 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2023-04-17 18:30 UTC (permalink / raw)
To: Ruihan Li; +Cc: linux-bluetooth, marcel, johan.hedberg, luiz.dentz, stable
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sun, 16 Apr 2023 16:14:04 +0800 you wrote:
> Previously, capability was checked using capable(), which verified that the
> caller of the ioctl system call had the required capability. In addition,
> the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
> making it persistent for the socket.
>
> However, malicious programs can abuse this approach by deliberately sharing
> an HCI socket with a privileged task. The HCI socket will be marked as
> trusted when the privileged task occasionally makes an ioctl call.
>
> [...]
Here is the summary with links:
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
https://git.kernel.org/bluetooth/bluetooth-next/c/313016d28888
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-04-17 18:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-16 8:14 [PATCH] bluetooth: Perform careful capability checks in hci_sock_ioctl() Ruihan Li
2023-04-16 9:01 ` bluez.test.bot
2023-04-17 18:30 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).