From 18f42d9c3488f2a4d1840764ef07edd536abf15d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 1 Jun 2023 10:21:57 +0100
Subject: [PATCH] 6.3-stable patches

added patches:
	bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch
---
 ...hecks-at-the-start-of-hci_sock_ioctl.patch | 67 +++++++++++++++++++
 queue-6.3/series                              |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 queue-6.3/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch

diff --git a/queue-6.3/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch b/queue-6.3/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch
new file mode 100644
index 00000000000..a33dfcc26f6
--- /dev/null
+++ b/queue-6.3/bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch
@@ -0,0 +1,67 @@
+From 000c2fa2c144c499c881a101819cf1936a1f7cf2 Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000@pku.edu.cn>
+Date: Sun, 16 Apr 2023 16:02:51 +0800
+Subject: bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
+
+From: Ruihan Li <lrh2000@pku.edu.cn>
+
+commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.
+
+Previously, channel open messages were always sent to monitors on the first
+ioctl() call for unbound HCI sockets, even if the command and arguments
+were completely invalid. This can leave an exploitable hole with the abuse
+of invalid ioctl calls.
+
+This commit hardens the ioctl processing logic by first checking if the
+command is valid, and immediately returning with an ENOIOCTLCMD error code
+if it is not. This ensures that ioctl calls with invalid commands are free
+of side effects, and increases the difficulty of further exploitation by
+forcing exploitation to find a way to pass a valid command first.
+
+Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
+Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |   28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -987,6 +987,34 @@ static int hci_sock_ioctl(struct socket
+ 
+ 	BT_DBG("cmd %x arg %lx", cmd, arg);
+ 
++	/* Make sure the cmd is valid before doing anything */
++	switch (cmd) {
++	case HCIGETDEVLIST:
++	case HCIGETDEVINFO:
++	case HCIGETCONNLIST:
++	case HCIDEVUP:
++	case HCIDEVDOWN:
++	case HCIDEVRESET:
++	case HCIDEVRESTAT:
++	case HCISETSCAN:
++	case HCISETAUTH:
++	case HCISETENCRYPT:
++	case HCISETPTYPE:
++	case HCISETLINKPOL:
++	case HCISETLINKMODE:
++	case HCISETACLMTU:
++	case HCISETSCOMTU:
++	case HCIINQUIRY:
++	case HCISETRAW:
++	case HCIGETCONNINFO:
++	case HCIGETAUTHINFO:
++	case HCIBLOCKADDR:
++	case HCIUNBLOCKADDR:
++		break;
++	default:
++		return -ENOIOCTLCMD;
++	}
++
+ 	lock_sock(sk);
+ 
+ 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
diff --git a/queue-6.3/series b/queue-6.3/series
index c2097108f9d..1fa4d800b7d 100644
--- a/queue-6.3/series
+++ b/queue-6.3/series
@@ -39,3 +39,4 @@ blk-mq-fix-race-condition-in-active-queue-accounting.patch
 vfio-type1-check-pfn-valid-before-converting-to-stru.patch
 cpufreq-amd-pstate-remove-fast_switch_possible-flag-.patch
 net-phy-mscc-enable-vsc8501-2-rgmii-rx-clock.patch
+bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch
-- 
2.47.3