From: Greg Kroah-Hartman Date: Thu, 1 Jun 2023 09:21:21 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.245~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80e8566ea80445cca1fa243a513b459e0d63f8ea;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch --- diff --git a/queue-5.4/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch b/queue-5.4/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch new file mode 100644 index 00000000000..04fc019574d --- /dev/null +++ b/queue-5.4/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch @@ -0,0 +1,67 @@ +From 000c2fa2c144c499c881a101819cf1936a1f7cf2 Mon Sep 17 00:00:00 2001 +From: Ruihan Li +Date: Sun, 16 Apr 2023 16:02:51 +0800 +Subject: bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() + +From: Ruihan Li + +commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream. + +Previously, channel open messages were always sent to monitors on the first +ioctl() call for unbound HCI sockets, even if the command and arguments +were completely invalid. This can leave an exploitable hole with the abuse +of invalid ioctl calls. + +This commit hardens the ioctl processing logic by first checking if the +command is valid, and immediately returning with an ENOIOCTLCMD error code +if it is not. This ensures that ioctl calls with invalid commands are free +of side effects, and increases the difficulty of further exploitation by +forcing exploitation to find a way to pass a valid command first. + +Signed-off-by: Ruihan Li +Co-developed-by: Marcel Holtmann +Signed-off-by: Marcel Holtmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Dragos-Marian Panait +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -973,6 +973,34 @@ static int hci_sock_ioctl(struct socket + + BT_DBG("cmd %x arg %lx", cmd, arg); + ++ /* Make sure the cmd is valid before doing anything */ ++ switch (cmd) { ++ case HCIGETDEVLIST: ++ case HCIGETDEVINFO: ++ case HCIGETCONNLIST: ++ case HCIDEVUP: ++ case HCIDEVDOWN: ++ case HCIDEVRESET: ++ case HCIDEVRESTAT: ++ case HCISETSCAN: ++ case HCISETAUTH: ++ case HCISETENCRYPT: ++ case HCISETPTYPE: ++ case HCISETLINKPOL: ++ case HCISETLINKMODE: ++ case HCISETACLMTU: ++ case HCISETSCOMTU: ++ case HCIINQUIRY: ++ case HCISETRAW: ++ case HCIGETCONNINFO: ++ case HCIGETAUTHINFO: ++ case HCIBLOCKADDR: ++ case HCIUNBLOCKADDR: ++ break; ++ default: ++ return -ENOIOCTLCMD; ++ } ++ + lock_sock(sk); + + if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { diff --git a/queue-5.4/series b/queue-5.4/series index 8e623146054..6a7c079baf9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,3 +10,4 @@ cdc_ncm-fix-the-build-warning.patch io_uring-always-grab-lock-in-io_cancel_async_work.patch io_uring-don-t-drop-completion-lock-before-timer-is-fully-initialized.patch io_uring-have-io_kill_timeout-honor-the-request-references.patch +bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch