--- /dev/null
+From 9e8742cdfc4b0e65266bb4a901a19462bda9285e Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 5 Apr 2024 15:56:50 -0400
+Subject: Bluetooth: ISO: Fix not validating setsockopt user input
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 9e8742cdfc4b0e65266bb4a901a19462bda9285e upstream.
+
+Check user input length before copying data.
+
+Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
+Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS")
+Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[Xiangyu: Bp to fix CVE: CVE-2024-35964 resolved minor conflicts]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/iso.c | 32 ++++++++++----------------------
+ 1 file changed, 10 insertions(+), 22 deletions(-)
+
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1189,7 +1189,7 @@ static int iso_sock_setsockopt(struct so
+ sockptr_t optval, unsigned int optlen)
+ {
+ struct sock *sk = sock->sk;
+- int len, err = 0;
++ int err = 0;
+ struct bt_iso_qos qos;
+ u32 opt;
+
+@@ -1204,10 +1204,9 @@ static int iso_sock_setsockopt(struct so
+ break;
+ }
+
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt)
+ set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
+@@ -1222,18 +1221,9 @@ static int iso_sock_setsockopt(struct so
+ break;
+ }
+
+- len = min_t(unsigned int, sizeof(qos), optlen);
+- if (len != sizeof(qos)) {
+- err = -EINVAL;
+- break;
+- }
+-
+- memset(&qos, 0, sizeof(qos));
+-
+- if (copy_from_sockptr(&qos, optval, len)) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (!check_qos(&qos)) {
+ err = -EINVAL;
+@@ -1252,18 +1242,16 @@ static int iso_sock_setsockopt(struct so
+ }
+
+ if (optlen > sizeof(iso_pi(sk)->base)) {
+- err = -EOVERFLOW;
++ err = -EINVAL;
+ break;
+ }
+
+- len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen);
+-
+- if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
++ optlen);
++ if (err)
+ break;
+- }
+
+- iso_pi(sk)->base_len = len;
++ iso_pi(sk)->base_len = optlen;
+
+ break;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
