From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B40EC83005 for ; Wed, 7 Jun 2023 20:20:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232641AbjFGUUM (ORCPT ); Wed, 7 Jun 2023 16:20:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233062AbjFGUT4 (ORCPT ); Wed, 7 Jun 2023 16:19:56 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8D93270D for ; Wed, 7 Jun 2023 13:19:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8BCEE63B7B for ; Wed, 7 Jun 2023 20:19:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9FAB1C433D2; Wed, 7 Jun 2023 20:19:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1686169143; bh=mc8Zlc9EP15Ikx362dsZb+0aZxN6aTM8mVVCBoGIUrU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hHR60gOfyh8WbE9cNSuP+ODPDHWgVnJsS/P6KBNoEMoFugl7BnaNSyuSbB1Tbw9wT aPiAYMV9M57UBkwc8Fmc2gVwggmtBtL6Oz/OjgFpe8SgEaq5XDoutx9edETAXTuW1Z LiuCRB1g8+AQ27YtuhgfZ9HGHghJob76EfHSk1F4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ruihan Li , Marcel Holtmann , Luiz Augusto von Dentz , Dragos-Marian Panait Subject: [PATCH 4.14 03/61] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Date: Wed, 7 Jun 2023 22:15:17 +0200 Message-ID: <20230607200836.310790133@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230607200835.310274198@linuxfoundation.org> References: <20230607200835.310274198@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ruihan Li commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream. Previously, channel open messages were always sent to monitors on the first ioctl() call for unbound HCI sockets, even if the command and arguments were completely invalid. This can leave an exploitable hole with the abuse of invalid ioctl calls. This commit hardens the ioctl processing logic by first checking if the command is valid, and immediately returning with an ENOIOCTLCMD error code if it is not. This ensures that ioctl calls with invalid commands are free of side effects, and increases the difficulty of further exploitation by forcing exploitation to find a way to pass a valid command first. Signed-off-by: Ruihan Li Co-developed-by: Marcel Holtmann Signed-off-by: Marcel Holtmann Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Dragos-Marian Panait Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -968,6 +968,34 @@ static int hci_sock_ioctl(struct socket BT_DBG("cmd %x arg %lx", cmd, arg); + /* Make sure the cmd is valid before doing anything */ + switch (cmd) { + case HCIGETDEVLIST: + case HCIGETDEVINFO: + case HCIGETCONNLIST: + case HCIDEVUP: + case HCIDEVDOWN: + case HCIDEVRESET: + case HCIDEVRESTAT: + case HCISETSCAN: + case HCISETAUTH: + case HCISETENCRYPT: + case HCISETPTYPE: + case HCISETLINKPOL: + case HCISETLINKMODE: + case HCISETACLMTU: + case HCISETSCOMTU: + case HCIINQUIRY: + case HCISETRAW: + case HCIGETCONNINFO: + case HCIGETAUTHINFO: + case HCIBLOCKADDR: + case HCIUNBLOCKADDR: + break; + default: + return -ENOIOCTLCMD; + } + lock_sock(sk); if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {