From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com,
Vladis Dronov <vdronov@redhat.com>,
Marcel Holtmann <marcel@holtmann.org>,
"Yu-Chen, Cho" <acho@suse.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.14 20/25] Bluetooth: hci_uart: check for missing tty operations
Date: Fri, 2 Aug 2019 11:39:52 +0200 [thread overview]
Message-ID: <20190802092106.172147182@linuxfoundation.org> (raw)
In-Reply-To: <20190802092058.428079740@linuxfoundation.org>
From: Vladis Dronov <vdronov@redhat.com>
commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 upstream.
Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset()
functions which are called by the certain HCI UART protocols (hci_ath,
hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control()
or directly. This leads to an execution at NULL and can be triggered by
an unprivileged user. Fix this by adding a helper function and a check
for the missing tty operations in the protocols code.
This fixes CVE-2019-10207. The Fixes: lines list commits where calls to
tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART
protocols.
Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org # v2.6.36+
Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip")
Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions")
Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support")
Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Yu-Chen, Cho <acho@suse.com>
Tested-by: Yu-Chen, Cho <acho@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ath.c | 3 +++
drivers/bluetooth/hci_bcm.c | 3 +++
drivers/bluetooth/hci_intel.c | 3 +++
drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++
drivers/bluetooth/hci_mrvl.c | 3 +++
drivers/bluetooth/hci_uart.h | 1 +
6 files changed, 26 insertions(+)
--- a/drivers/bluetooth/hci_ath.c
+++ b/drivers/bluetooth/hci_ath.c
@@ -101,6 +101,9 @@ static int ath_open(struct hci_uart *hu)
BT_DBG("hu %p", hu);
+ if (!hci_uart_has_flow_control(hu))
+ return -EOPNOTSUPP;
+
ath = kzalloc(sizeof(*ath), GFP_KERNEL);
if (!ath)
return -ENOMEM;
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -305,6 +305,9 @@ static int bcm_open(struct hci_uart *hu)
bt_dev_dbg(hu->hdev, "hu %p", hu);
+ if (!hci_uart_has_flow_control(hu))
+ return -EOPNOTSUPP;
+
bcm = kzalloc(sizeof(*bcm), GFP_KERNEL);
if (!bcm)
return -ENOMEM;
--- a/drivers/bluetooth/hci_intel.c
+++ b/drivers/bluetooth/hci_intel.c
@@ -406,6 +406,9 @@ static int intel_open(struct hci_uart *h
BT_DBG("hu %p", hu);
+ if (!hci_uart_has_flow_control(hu))
+ return -EOPNOTSUPP;
+
intel = kzalloc(sizeof(*intel), GFP_KERNEL);
if (!intel)
return -ENOMEM;
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -297,6 +297,19 @@ static int hci_uart_send_frame(struct hc
return 0;
}
+/* Check the underlying device or tty has flow control support */
+bool hci_uart_has_flow_control(struct hci_uart *hu)
+{
+ /* serdev nodes check if the needed operations are present */
+ if (hu->serdev)
+ return true;
+
+ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset)
+ return true;
+
+ return false;
+}
+
/* Flow control or un-flow control the device */
void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
{
--- a/drivers/bluetooth/hci_mrvl.c
+++ b/drivers/bluetooth/hci_mrvl.c
@@ -66,6 +66,9 @@ static int mrvl_open(struct hci_uart *hu
BT_DBG("hu %p", hu);
+ if (!hci_uart_has_flow_control(hu))
+ return -EOPNOTSUPP;
+
mrvl = kzalloc(sizeof(*mrvl), GFP_KERNEL);
if (!mrvl)
return -ENOMEM;
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -117,6 +117,7 @@ void hci_uart_unregister_device(struct h
int hci_uart_tx_wakeup(struct hci_uart *hu);
int hci_uart_init_ready(struct hci_uart *hu);
void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed);
+bool hci_uart_has_flow_control(struct hci_uart *hu);
void hci_uart_set_flow_control(struct hci_uart *hu, bool enable);
void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed,
unsigned int oper_speed);
next prev parent reply other threads:[~2019-08-02 9:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-02 9:39 [PATCH 4.14 00/25] 4.14.136-stable review Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 01/25] VSOCK: use TCP state constants for sk_state Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 02/25] vsock: correct removal of socket from the list Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 03/25] NFS: Fix dentry revalidation on NFSv4 lookup Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 04/25] NFS: Refactor nfs_lookup_revalidate() Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 05/25] NFSv4: Fix lookup revalidate of regular files Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 06/25] arm64: dts: marvell: Fix A37xx UART0 register size Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 07/25] i2c: qup: fixed releasing dma without flush operation completion Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 08/25] arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 09/25] binder: fix possible UAF when freeing buffer Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 10/25] ISDN: hfcsusb: checking idx of ep configuration Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 11/25] media: au0828: fix null dereference in error path Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 12/25] ath10k: Change the warning message string Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 13/25] media: cpia2_usb: first wake up, then free in disconnect Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 14/25] media: pvrusb2: use a different format for warnings Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 15/25] NFS: Cleanup if nfs_match_client is interrupted Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 16/25] media: radio-raremono: change devm_k*alloc to k*alloc Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 17/25] iommu/vt-d: Dont queue_iova() if there is no flush queue Greg Kroah-Hartman
2019-08-02 9:39 ` Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 18/25] iommu/iova: Fix compilation error with !CONFIG_IOMMU_IOVA Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 19/25] hv_sock: Add support for delayed close Greg Kroah-Hartman
2019-08-02 9:39 ` Greg Kroah-Hartman [this message]
2019-08-02 9:39 ` [PATCH 4.14 21/25] sched/fair: Dont free p->numa_faults with concurrent readers Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 22/25] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 23/25] Fix allyesconfig output Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 24/25] ceph: hold i_ceph_lock when removing caps for freeing inode Greg Kroah-Hartman
2019-08-02 9:39 ` [PATCH 4.14 25/25] sched/fair: Use RCU accessors consistently for ->numa_group Greg Kroah-Hartman
2019-08-02 15:37 ` Greg Kroah-Hartman
2019-08-02 13:59 ` [PATCH 4.14 00/25] 4.14.136-stable review Thierry Reding
2019-08-02 15:50 ` Greg Kroah-Hartman
2019-08-03 5:43 ` Naresh Kamboju
2019-08-02 23:20 ` shuah
2019-08-03 15:59 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190802092106.172147182@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acho@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com \
--cc=torvalds@linux-foundation.org \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.