[PATCH 6.1 0/1] Hardening against CVE-2023-2002

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 6.1 0/1] Hardening against CVE-2023-2002
@ 2023-05-30 12:26 Dragos-Marian Panait
  2023-05-30 12:26 ` [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:26 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

The following commit is needed to harden against CVE-2023-2002:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000c2fa2c144c499c881a101819cf1936a1f7cf2

Ruihan Li (1):
  bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()

 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)


base-commit: fa74641fb6b93a19ccb50579886ecc98320230f9
-- 
2.40.1


^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
  2023-05-30 12:26 [PATCH 6.1 0/1] Hardening against CVE-2023-2002 Dragos-Marian Panait
@ 2023-05-30 12:26 ` Dragos-Marian Panait
  2023-05-30 12:52   ` Greg KH
  2023-05-30 12:55   ` Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 2 replies; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:26 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index f597fe0db9f8..1d249d839819 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -987,6 +987,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* Re: [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
  2023-05-30 12:26 ` [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 12:52   ` Greg KH
       [not found]     ` <PH0PR11MB495229C3DABA728EE5C8A19EFA489@PH0PR11MB4952.namprd11.prod.outlook.com>
  2023-05-30 12:55   ` Hardening against CVE-2023-2002 bluez.test.bot
  1 sibling, 1 reply; 16+ messages in thread
From: Greg KH @ 2023-05-30 12:52 UTC (permalink / raw)
  To: Dragos-Marian Panait
  Cc: stable, Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

On Tue, May 30, 2023 at 03:26:29PM +0300, Dragos-Marian Panait wrote:
> From: Ruihan Li <lrh2000@pku.edu.cn>
> 
> commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

What about newer kernels (and older ones)?  Do you want to upgrade and
have a regression?

greg k-h

^ permalink raw reply	[flat|nested] 16+ messages in thread

[parent not found: <PH0PR11MB495229C3DABA728EE5C8A19EFA489@PH0PR11MB4952.namprd11.prod.outlook.com>]

* Re: [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
       [not found]     ` <PH0PR11MB495229C3DABA728EE5C8A19EFA489@PH0PR11MB4952.namprd11.prod.outlook.com>
@ 2023-06-01  9:14       ` Greg KH
  0 siblings, 0 replies; 16+ messages in thread
From: Greg KH @ 2023-06-01  9:14 UTC (permalink / raw)
  To: Panait, Dragos Marian
  Cc: stable, Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

On Wed, May 31, 2023 at 10:06:11AM +0000, Panait, Dragos Marian wrote:
> Done! (without the cover letter for newer kernels :))

All now queued up, thanks.

You could have just send a one sentance email saying "Please apply
commit XYZ to all stable kernels please" which would have been much
simpler and easier for you :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002
  2023-05-30 12:26 ` [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
  2023-05-30 12:52   ` Greg KH
@ 2023-05-30 12:55   ` bluez.test.bot
  1 sibling, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 12:55 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:987
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.15 0/1] Hardening against CVE-2023-2002
@ 2023-05-30 12:39 Dragos-Marian Panait
  2023-05-30 12:39 ` [PATCH 5.15 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:39 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

The following commit is needed to harden against CVE-2023-2002:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000c2fa2c144c499c881a101819cf1936a1f7cf2

Ruihan Li (1):
  bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()

 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)


base-commit: 1fe619a7d25218e9b9fdcce9fcac6a05cd62abed
-- 
2.40.1


^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.15 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
  2023-05-30 12:39 [PATCH 5.15 0/1] " Dragos-Marian Panait
@ 2023-05-30 12:39 ` Dragos-Marian Panait
  2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:39 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 7905e005baa9..315f9ad3dc4d 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -980,6 +980,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002
  2023-05-30 12:39 ` [PATCH 5.15 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 12:55   ` bluez.test.bot
  0 siblings, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 12:55 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait, linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:987
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #2: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:980
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.10 0/1] Hardening against CVE-2023-2002
@ 2023-05-30 12:42 Dragos-Marian Panait
  2023-05-30 12:42 ` [PATCH 5.10 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:42 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

The following commit is needed to harden against CVE-2023-2002:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000c2fa2c144c499c881a101819cf1936a1f7cf2

Ruihan Li (1):
  bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()

 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)


base-commit: 4c893ff55907c61456bcb917781c0dd687a1e123
-- 
2.40.1


^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.10 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
  2023-05-30 12:42 [PATCH 5.10 0/1] " Dragos-Marian Panait
@ 2023-05-30 12:42 ` Dragos-Marian Panait
  2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:42 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 4dcc1a8a8954..eafb2bebc12c 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -980,6 +980,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002
  2023-05-30 12:42 ` [PATCH 5.10 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 12:55   ` bluez.test.bot
  0 siblings, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 12:55 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait, linux-bluetooth, dragos.panait,
	linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:987
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #2: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:980
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #3: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:980
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.4 0/1] Hardening against CVE-2023-2002
@ 2023-05-30 12:47 Dragos-Marian Panait
  2023-05-30 12:47 ` [PATCH 5.4 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:47 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

The following commit is needed to harden against CVE-2023-2002:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000c2fa2c144c499c881a101819cf1936a1f7cf2

Ruihan Li (1):
  bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()

 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)


base-commit: f53660ec669f60c772fdf7d75d1c24d288547cee
-- 
2.40.1


^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 5.4 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
  2023-05-30 12:47 [PATCH 5.4 0/1] " Dragos-Marian Panait
@ 2023-05-30 12:47 ` Dragos-Marian Panait
  2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:47 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 4f8f5204ae7a..45f6ce1f380e 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -973,6 +973,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002
  2023-05-30 12:47 ` [PATCH 5.4 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 12:55   ` bluez.test.bot
  0 siblings, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 12:55 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait, linux-bluetooth, dragos.panait,
	linux-bluetooth, dragos.panait, linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:987
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #2: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:980
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #3: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:980
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

[-- Attachment #4: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:973
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 4.19 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
@ 2023-05-30 12:57 Dragos-Marian Panait
  2023-05-30 13:16 ` Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 12:57 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 908a57578794..182c3c5b8385 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -973,6 +973,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002
  2023-05-30 12:57 [PATCH 4.19 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 13:16 ` bluez.test.bot
  0 siblings, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 13:16 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:973
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 4.14 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
@ 2023-05-30 13:17 Dragos-Marian Panait
  2023-05-30 13:37 ` Hardening against CVE-2023-2002 bluez.test.bot
  0 siblings, 1 reply; 16+ messages in thread
From: Dragos-Marian Panait @ 2023-05-30 13:17 UTC (permalink / raw)
  To: stable
  Cc: Ruihan Li, Marcel Holtmann, Luiz Augusto von Dentz,
	Johan Hedberg, Paolo Abeni, David S . Miller, Eric Dumazet,
	Jakub Kicinski, netdev, linux-bluetooth, linux-kernel

From: Ruihan Li <lrh2000@pku.edu.cn>

commit 000c2fa2c144c499c881a101819cf1936a1f7cf2 upstream.

Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 837b0767892e..9b1658346396 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -968,6 +968,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 16+ messages in thread

* RE: Hardening against CVE-2023-2002
  2023-05-30 13:17 [PATCH 4.14 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
@ 2023-05-30 13:37 ` bluez.test.bot
  0 siblings, 0 replies; 16+ messages in thread
From: bluez.test.bot @ 2023-05-30 13:37 UTC (permalink / raw)
  To: linux-bluetooth, dragos.panait

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:968
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2023-06-01  9:14 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-30 12:26 [PATCH 6.1 0/1] Hardening against CVE-2023-2002 Dragos-Marian Panait
2023-05-30 12:26 ` [PATCH 6.1 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:52   ` Greg KH
     [not found]     ` <PH0PR11MB495229C3DABA728EE5C8A19EFA489@PH0PR11MB4952.namprd11.prod.outlook.com>
2023-06-01  9:14       ` Greg KH
2023-05-30 12:55   ` Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:39 [PATCH 5.15 0/1] " Dragos-Marian Panait
2023-05-30 12:39 ` [PATCH 5.15 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:42 [PATCH 5.10 0/1] " Dragos-Marian Panait
2023-05-30 12:42 ` [PATCH 5.10 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:47 [PATCH 5.4 0/1] " Dragos-Marian Panait
2023-05-30 12:47 ` [PATCH 5.4 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 12:55   ` Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002, RE: Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 12:57 [PATCH 4.19 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 13:16 ` Hardening against CVE-2023-2002 bluez.test.bot
2023-05-30 13:17 [PATCH 4.14 1/1] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Dragos-Marian Panait
2023-05-30 13:37 ` Hardening against CVE-2023-2002 bluez.test.bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.