From: Greg Kroah-Hartman Date: Tue, 19 Nov 2024 11:50:19 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.1~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a6e68756d7613cb6f7297e63f89d730ca0931fc;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-iso-fix-not-validating-setsockopt-user-input.patch --- diff --git a/queue-6.1/bluetooth-iso-fix-not-validating-setsockopt-user-input.patch b/queue-6.1/bluetooth-iso-fix-not-validating-setsockopt-user-input.patch new file mode 100644 index 00000000000..0a5ae322212 --- /dev/null +++ b/queue-6.1/bluetooth-iso-fix-not-validating-setsockopt-user-input.patch @@ -0,0 +1,92 @@ +From 9e8742cdfc4b0e65266bb4a901a19462bda9285e Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 5 Apr 2024 15:56:50 -0400 +Subject: Bluetooth: ISO: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +commit 9e8742cdfc4b0e65266bb4a901a19462bda9285e upstream. + +Check user input length before copying data. + +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS") +Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +[Xiangyu: Bp to fix CVE: CVE-2024-35964 resolved minor conflicts] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/iso.c | 32 ++++++++++---------------------- + 1 file changed, 10 insertions(+), 22 deletions(-) + +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1189,7 +1189,7 @@ static int iso_sock_setsockopt(struct so + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; +- int len, err = 0; ++ int err = 0; + struct bt_iso_qos qos; + u32 opt; + +@@ -1204,10 +1204,9 @@ static int iso_sock_setsockopt(struct so + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -1222,18 +1221,9 @@ static int iso_sock_setsockopt(struct so + break; + } + +- len = min_t(unsigned int, sizeof(qos), optlen); +- if (len != sizeof(qos)) { +- err = -EINVAL; +- break; +- } +- +- memset(&qos, 0, sizeof(qos)); +- +- if (copy_from_sockptr(&qos, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); ++ if (err) + break; +- } + + if (!check_qos(&qos)) { + err = -EINVAL; +@@ -1252,18 +1242,16 @@ static int iso_sock_setsockopt(struct so + } + + if (optlen > sizeof(iso_pi(sk)->base)) { +- err = -EOVERFLOW; ++ err = -EINVAL; + break; + } + +- len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen); +- +- if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, ++ optlen); ++ if (err) + break; +- } + +- iso_pi(sk)->base_len = len; ++ iso_pi(sk)->base_len = optlen; + + break; + diff --git a/queue-6.1/series b/queue-6.1/series index 5fbb9bb2ac1..0d3d57eeda8 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -34,3 +34,4 @@ drm-amd-fix-initialization-mistake-for-nbio-7.7.0.patch staging-vchiq_arm-get-the-rid-off-struct-vchiq_2835_.patch staging-vchiq_arm-use-devm_kzalloc-for-vchiq_arm_sta.patch fs-ntfs3-additional-check-in-ntfs_file_release.patch +bluetooth-iso-fix-not-validating-setsockopt-user-input.patch