diff mbox series

bluetooth: Perform careful capability checks in hci_sock_ioctl()

Message ID 20230416081404.8227-1-lrh2000@pku.edu.cn (mailing list archive)
State Accepted
Commit 313016d2888899897cdd7b0b1f2cb84f8da60961
Headers show
Series bluetooth: Perform careful capability checks in hci_sock_ioctl() | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/SubjectPrefix fail "Bluetooth: " prefix is not specified in the subject
tedd_an/BuildKernel success BuildKernel PASS
tedd_an/CheckAllWarning success CheckAllWarning PASS
tedd_an/CheckSparse success CheckSparse PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/BuildKernel32 success BuildKernel32 PASS
tedd_an/TestRunnerSetup success TestRunnerSetup PASS
tedd_an/TestRunner_l2cap-tester success TestRunner PASS
tedd_an/TestRunner_iso-tester success TestRunner PASS
tedd_an/TestRunner_bnep-tester success TestRunner PASS
tedd_an/TestRunner_mgmt-tester success TestRunner PASS
tedd_an/TestRunner_rfcomm-tester success TestRunner PASS
tedd_an/TestRunner_sco-tester success TestRunner PASS
tedd_an/TestRunner_ioctl-tester success TestRunner PASS
tedd_an/TestRunner_mesh-tester success TestRunner PASS
tedd_an/TestRunner_smp-tester success TestRunner PASS
tedd_an/TestRunner_userchan-tester success TestRunner PASS
tedd_an/IncrementalBuild success Incremental Build PASS

Commit Message

Ruihan Li April 16, 2023, 8:14 a.m. UTC 
Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.

However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.

This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.

Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
 net/bluetooth/hci_sock.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com April 16, 2023, 9:01 a.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=740182

---Test result---

Test Summary:
CheckPatch                    PASS      0.60 seconds
GitLint                       PASS      0.24 seconds
SubjectPrefix                 FAIL      0.48 seconds
BuildKernel                   PASS      40.50 seconds
CheckAllWarning               PASS      44.13 seconds
CheckSparse                   PASS      49.42 seconds
CheckSmatch                   PASS      134.01 seconds
BuildKernel32                 PASS      39.14 seconds
TestRunnerSetup               PASS      559.05 seconds
TestRunner_l2cap-tester       PASS      19.48 seconds
TestRunner_iso-tester         PASS      25.39 seconds
TestRunner_bnep-tester        PASS      6.68 seconds
TestRunner_mgmt-tester        PASS      136.10 seconds
TestRunner_rfcomm-tester      PASS      10.90 seconds
TestRunner_sco-tester         PASS      10.13 seconds
TestRunner_ioctl-tester       PASS      11.56 seconds
TestRunner_mesh-tester        PASS      8.62 seconds
TestRunner_smp-tester         PASS      9.85 seconds
TestRunner_userchan-tester    PASS      7.30 seconds
IncrementalBuild              PASS      36.44 seconds

Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject


---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org April 17, 2023, 6:30 p.m. UTC | #2 
Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 16 Apr 2023 16:14:04 +0800 you wrote:
> Previously, capability was checked using capable(), which verified that the
> caller of the ioctl system call had the required capability. In addition,
> the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
> making it persistent for the socket.
> 
> However, malicious programs can abuse this approach by deliberately sharing
> an HCI socket with a privileged task. The HCI socket will be marked as
> trusted when the privileged task occasionally makes an ioctl call.
> 
> [...]

Here is the summary with links:
  - bluetooth: Perform careful capability checks in hci_sock_ioctl()
    https://git.kernel.org/bluetooth/bluetooth-next/c/313016d28888

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 065812232..f597fe0db 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1003,7 +1003,14 @@  static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 	if (hci_sock_gen_cookie(sk)) {
 		struct sk_buff *skb;
 
-		if (capable(CAP_NET_ADMIN))
+		/* Perform careful checks before setting the HCI_SOCK_TRUSTED
+		 * flag. Make sure that not only the current task but also
+		 * the socket opener has the required capability, since
+		 * privileged programs can be tricked into making ioctl calls
+		 * on HCI sockets, and the socket should not be marked as
+		 * trusted simply because the ioctl caller is privileged.
+		 */
+		if (sk_capable(sk, CAP_NET_ADMIN))
 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
 
 		/* Send event to monitor */