From: Greg Kroah-Hartman Date: Thu, 1 Jun 2023 09:21:49 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.245~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45a6a11daa44cb618c7ef045de10e49f9ba55400;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch --- diff --git a/queue-6.1/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch b/queue-6.1/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch new file mode 100644 index 00000000000..a33dfcc26f6 --- /dev/null +++ b/queue-6.1/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch @@ -0,0 +1,67 @@ +From 000c2fa2c144c499c881a101819cf1936a1f7cf2 Mon Sep 17 00:00:00 2001 +From: Ruihan Li +Date: Sun, 16 Apr 2023 16:02:51 +0800 +Subject: bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() + +From: Ruihan Li + +commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream. + +Previously, channel open messages were always sent to monitors on the first +ioctl() call for unbound HCI sockets, even if the command and arguments +were completely invalid. This can leave an exploitable hole with the abuse +of invalid ioctl calls. + +This commit hardens the ioctl processing logic by first checking if the +command is valid, and immediately returning with an ENOIOCTLCMD error code +if it is not. This ensures that ioctl calls with invalid commands are free +of side effects, and increases the difficulty of further exploitation by +forcing exploitation to find a way to pass a valid command first. + +Signed-off-by: Ruihan Li +Co-developed-by: Marcel Holtmann +Signed-off-by: Marcel Holtmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Dragos-Marian Panait +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -987,6 +987,34 @@ static int hci_sock_ioctl(struct socket + + BT_DBG("cmd %x arg %lx", cmd, arg); + ++ /* Make sure the cmd is valid before doing anything */ ++ switch (cmd) { ++ case HCIGETDEVLIST: ++ case HCIGETDEVINFO: ++ case HCIGETCONNLIST: ++ case HCIDEVUP: ++ case HCIDEVDOWN: ++ case HCIDEVRESET: ++ case HCIDEVRESTAT: ++ case HCISETSCAN: ++ case HCISETAUTH: ++ case HCISETENCRYPT: ++ case HCISETPTYPE: ++ case HCISETLINKPOL: ++ case HCISETLINKMODE: ++ case HCISETACLMTU: ++ case HCISETSCOMTU: ++ case HCIINQUIRY: ++ case HCISETRAW: ++ case HCIGETCONNINFO: ++ case HCIGETAUTHINFO: ++ case HCIBLOCKADDR: ++ case HCIUNBLOCKADDR: ++ break; ++ default: ++ return -ENOIOCTLCMD; ++ } ++ + lock_sock(sk); + + if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { diff --git a/queue-6.1/series b/queue-6.1/series index 66fe493a61e..8eba6af90dc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -33,3 +33,4 @@ dmaengine-at_xdmac-do-not-resume-channels-paused-by-.patch dmaengine-at_xdmac-restore-the-content-of-grws-regis.patch octeontx2-af-add-validation-for-lmac-type.patch drm-amd-don-t-allow-s0ix-on-apus-older-than-raven.patch +bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch