From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ruihan Li <lrh2000@pku.edu.cn>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Subject: [PATCH 5.15 07/13] bluetooth: Perform careful capability checks in hci_sock_ioctl()
Date: Fri, 28 Apr 2023 13:28:11 +0200 [thread overview]
Message-ID: <20230428112039.414116300@linuxfoundation.org> (raw)
In-Reply-To: <20230428112039.133978540@linuxfoundation.org>
From: Ruihan Li <lrh2000@pku.edu.cn>
commit 25c150ac103a4ebeed0319994c742a90634ddf18 upstream.
Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.
However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.
This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.
Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sock.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -996,7 +996,14 @@ static int hci_sock_ioctl(struct socket
if (hci_sock_gen_cookie(sk)) {
struct sk_buff *skb;
- if (capable(CAP_NET_ADMIN))
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
+ * flag. Make sure that not only the current task but also
+ * the socket opener has the required capability, since
+ * privileged programs can be tricked into making ioctl calls
+ * on HCI sockets, and the socket should not be marked as
+ * trusted simply because the ioctl caller is privileged.
+ */
+ if (sk_capable(sk, CAP_NET_ADMIN))
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
/* Send event to monitor */
next prev parent reply other threads:[~2023-04-28 11:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-28 11:28 [PATCH 5.15 00/13] 5.15.110-rc1 review Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 01/13] PCI/ASPM: Remove pcie_aspm_pm_state_change() Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 02/13] selftests/kselftest/runner/run_one(): allow running non-executable files Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 03/13] KVM: arm64: Retry fault if vma_lookup() results become invalid Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 04/13] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 05/13] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 06/13] drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Greg Kroah-Hartman
2023-04-28 11:28 ` Greg Kroah-Hartman [this message]
2023-04-28 11:28 ` [PATCH 5.15 08/13] USB: serial: option: add UNISOC vendor and TOZED LT70C product Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 09/13] driver core: Dont require dynamic_debug for initcall_debug probe timing Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 10/13] selftests: mptcp: join: fix "invalid address, ADD_ADDR timeout" Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 11/13] riscv: Move early dtb mapping into the fixmap region Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 12/13] riscv: Do not set initial_boot_params to the linear address of the dtb Greg Kroah-Hartman
2023-04-28 11:28 ` [PATCH 5.15 13/13] riscv: No need to relocate the dtb as it lies in the fixmap region Greg Kroah-Hartman
2023-04-28 22:33 ` [PATCH 5.15 00/13] 5.15.110-rc1 review Shuah Khan
2023-04-28 22:45 ` Naresh Kamboju
2023-04-29 2:57 ` Florian Fainelli
2023-04-29 4:09 ` Guenter Roeck
2023-04-29 6:42 ` Ron Economos
2023-04-29 7:42 ` Bagas Sanjaya
2023-05-02 5:40 ` Chris Paterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230428112039.414116300@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lrh2000@pku.edu.cn \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).