From patchwork Fri Apr 5 20:48:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13619406 Received: from mail-vk1-f176.google.com (mail-vk1-f176.google.com [209.85.221.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B186F174ED4 for ; Fri, 5 Apr 2024 20:48:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350113; cv=none; b=R7RZXELF6SeiJeYg5VzZv9av5fK5pZzs94+R32zDqu5YR3/Wafv1NBIoBAD8NmTOq9sa45IS4qCTG2VFyVlOY+smXLJss1yX4NGWExXSa3fg+RhTCuYHS7sDXj5iYdRNJlUG5BPYEqLWKcBw4zBuK4ZhhsLblSQNQQn+Et8vSOQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350113; c=relaxed/simple; bh=H8eFOwRAoV4DFJBAuNi4Irj7C8f2JaeHDdVlNWxOuZk=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=gNXKt+8cAcfgL9cIuXED+kTKSS4unLzM+t8D1eskndwopTfd1iwU7WOWYD+GP/VxoJ3ZVb3iCVLejdSieDumVcOyoLHLDDddUsfS6xDL90wAN7vBQCnTBliADHSWJuhYXq2pn0z6tHVjfZGlZGMmMU4W9J2j8VvsxhLpw2+HQFk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KrYBxrTL; arc=none smtp.client-ip=209.85.221.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KrYBxrTL" Received: by mail-vk1-f176.google.com with SMTP id 71dfb90a1353d-4d88360fd7bso1857352e0c.0 for ; Fri, 05 Apr 2024 13:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350109; x=1712954909; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=AIO8scaADKE+KJ2bsqCNzXMkWrnS8uUEUgoBXCePjUk=; b=KrYBxrTL3++unDpXhLXDOVQzYLH6aZAujd5a/cPl7T7vpooiqvo0VsVUJRBms6H+ST 04NLlTQRrPWa6isl//unLee137EP9H+FV8LvWYYNcXqbLawzk9LJP+ipv4iAVhYEJJmA rd24A+nzYiAWZehaCVYyhw5uuie9eP2vSAmOuIH2Teo5gCakUJajXnlSXuvqRtnsKiF8 XCPed2n8V1Gm20kDEmeCoFsZM+kZcfZIeODXb+6s8ADPVy3vWITef0Sz4vMlulwZHDNo o11982t6E/Fnm1HUcj5mts1Qicd07eCKpqQDRZX03cU8PLxX+fyXH5+mP1REJVU2I47I tJRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350109; x=1712954909; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AIO8scaADKE+KJ2bsqCNzXMkWrnS8uUEUgoBXCePjUk=; b=Q4PrMka4xlw5TVPHQ+xXYB4Z/5QtJWUun+FEWztTctX6N+Djch1ANwIBvN14bNfv9D xTGfOmRhqXKGpue+0UOBxiJ9TaIMRvx+6L0uW1eJ0PRmV9q8ovr0JuMeb2vVoZCE2jld q0N+h/PKCGLRvGkBy49AV2uizYaLWYj/oFaxuR3bv3mKlIWlKgQh0KUtw4ciiDUp1MQl 7DJu0Fl4/WJ5e8/Tc/IfLvnrob1+sAfjgf+yITfDJGAKNUznfihzr327Mkfg79kTH3aN HzcMKdkCDoFln/h9ePx2CKvVEwoG/ejGcSOVxOnxc+1rDGihSmPCPlRyhd0q1YgK0mx1 67ow== X-Gm-Message-State: AOJu0Yxd9wK04rDbEkSMzJnHohPNckS6wQcPCt2oSMO/3aVPs4MUoDdK nTN6a317uoT2f30fCh8Sz0lBI3e1x5p9oY0pdU730z40cbYM8cXPmAfQ3D0C X-Google-Smtp-Source: AGHT+IFsZr8V9ZLSz2D7O5U9BC1mlAbJqARZzqJ442YAplL67jyBn1ooYJT/oPgUdTBooj3ArMGnZA== X-Received: by 2002:a05:6122:16a6:b0:4c7:7760:8f14 with SMTP id 38-20020a05612216a600b004c777608f14mr2608617vkl.7.1712350109467; Fri, 05 Apr 2024 13:48:29 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:28 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:23 -0400 Message-ID: <20240405204827.3458726-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578 Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") Fixes: b96e9c671b05 ("Bluetooth: Add BT_DEFER_SETUP option to sco socket") Fixes: 00398e1d5183 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections") Fixes: f6873401a608 ("Bluetooth: Allow setting of codec for HFP offload use case") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Luiz Augusto von Dentz Reported-by: syzbot Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: Eric Dumazet --- include/net/bluetooth/bluetooth.h | 9 +++++++++ net/bluetooth/sco.c | 23 ++++++++++------------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 1ada4f85e982..431c907155e7 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -586,6 +586,15 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, return skb; } +static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, + sockptr_t src, size_t src_size) +{ + if (dst_size > src_size) + return -EINVAL; + + return copy_from_sockptr(dst, src, dst_size); +} + int bt_to_errno(u16 code); __u8 bt_status(int err); diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 99c2b713d826..cc72f05d4f0e 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -839,7 +839,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen) { struct sock *sk = sock->sk; - int len, err = 0; + int err = 0; struct bt_voice voice; u32 opt; struct bt_codecs *codecs; @@ -858,10 +858,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); @@ -878,11 +877,10 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, voice.setting = sco_pi(sk)->setting; - len = min_t(unsigned int, sizeof(voice), optlen); - if (copy_from_sockptr(&voice, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, + optlen); + if (err) break; - } /* Explicitly check for these values */ if (voice.setting != BT_VOICE_TRANSPARENT && @@ -905,10 +903,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_PKT_STATUS: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); @@ -949,9 +946,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(buffer, optval, optlen)) { + err = bt_copy_from_sockptr(buffer, optlen, optval, optlen); + if (err) { hci_dev_put(hdev); - err = -EFAULT; break; } From patchwork Fri Apr 5 20:48:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13619407 Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com [209.85.221.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 844741C6A8 for ; Fri, 5 Apr 2024 20:48:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350115; cv=none; b=Tjk+340IVtrdpIgzTYEEjNFAltUCvZTPEqprD/eP9T8Fz0B8I3nOxiPXZ3fPWQXEgiYwVoeTC0EPNIVV9+KfHwaeOsM/UCwVz0t3o2QlDvRiim7arQffUdQFJGtJLxADOWao8f6cMvQzLSJjqekoopULrkXZ5aWlzK/VcZ3uxY8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350115; c=relaxed/simple; bh=scB375BcgWKyVs7APGKmlH3BNN9sCzGwZGn3kP93Dw4=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jy7JxW7Oq5gUNMbqkd99DXLao2BMa1OiF4FA5+tCMLcd/KLCrXG5cW8a/cBnIQs8KI4vpqTmWM0q0VW0/dD/dpOnJWNB3VAOVjmUtx8syPWZtAB0hLXgnAfw9QpVhvFiNnLHwLN5NDYpiVP9qH+A10FhVskNHZ9jW7rxcHVfECI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=E4pIbMy3; arc=none smtp.client-ip=209.85.221.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E4pIbMy3" Received: by mail-vk1-f174.google.com with SMTP id 71dfb90a1353d-4dac112e192so213848e0c.1 for ; Fri, 05 Apr 2024 13:48:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350112; x=1712954912; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EJ8oPaEsLNRDFCeZl16WX8XecPaorqdlk6SPAFE/suI=; b=E4pIbMy3wtfZR8w39WoE98Ip84EcWsRtChVILMU2pN6XRExia8BmwzcfkKvgWWd9ey yMZgI080RoAuoa8ZNaRNZS7u53ptrmC8YOdmAAoKHtMpMdJEvlpw846beg5rthugKfLc nQ/MzwIAViv42JMDVfKcKNK4UsTLsCaioWVPvPpNuCV+qCKFjhuCds4yHMOokmY9o3cf hQT1qa+5GHMPw/cegyb+QHn+1j0BbB1i3hZkKgVyKwUK8Eujq/8sAt0FPw53fc1hThd8 +/EJ3J+eBCa/xfeSa/ksAJFuY+lxIoNRySWKXozSktrVuqsD7XsPvBMcQLykglNu4qkI 8VSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350112; x=1712954912; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EJ8oPaEsLNRDFCeZl16WX8XecPaorqdlk6SPAFE/suI=; b=hEQnQSjtWpz2De0czETYs9FAuEswN0sg04hAVUNjaOYGCRItvykDJCGYA9vnZ+OLHP pTLzpAzgUdkZdH8YVYsMhWVRXCvcoEemnlnQ4WGlyb9NXeJYggozlZ5F+uYHoCbjUSaB A/Scmzd2sWujLYtiUDcY38l1taqOBFNDkY9KBO2nAwfCQWLL+wk4O7+3jsbfB+FGidQV BWJfTl7TQ3g5pVahJKC4NzbBX+4Rytxpgx+xjcapYgACVTkW2ldidNL4i9fopvnG8mDo 5HdiW48FrK+DMqNfBugy/1yTDGtyFxVuEPr+PxqapggLLpQe9CDOwSyyRoxF0cq2n81M UNoA== X-Gm-Message-State: AOJu0YzxjVYwAY9L8FNrZ0Jo2+cBQ+0D/vUAYT6ALfSn5b1GfDEJ7VvR vuflEnkhcWqP/PvF3PcJ9UAWOlIT4vheEtbKMnglhCzdwzBKsY6pzPxRrdUk X-Google-Smtp-Source: AGHT+IGddPNusUbMtHnK6LR6MMJDd+ZWvCO1/xgJWvvOk6aAid2a5/pDb8cYwu7GlgBvSFaEj3+Osw== X-Received: by 2002:a05:6122:3903:b0:4d1:4e40:bd6f with SMTP id ep3-20020a056122390300b004d14e40bd6fmr2934655vkb.10.1712350111784; Fri, 05 Apr 2024 13:48:31 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:30 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 2/5] Bluetooth: RFCOMM: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:24 -0400 Message-ID: <20240405204827.3458726-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240405204827.3458726-1-luiz.dentz@gmail.com> References: <20240405204827.3458726-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/rfcomm/sock.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index b54e8a530f55..29aa07e9db9d 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, switch (optname) { case RFCOMM_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { + if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { err = -EFAULT; break; } @@ -664,7 +664,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, struct sock *sk = sock->sk; struct bt_security sec; int err = 0; - size_t len; u32 opt; BT_DBG("sk %p", sk); @@ -686,11 +685,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, sec.level = BT_SECURITY_LOW; - len = min_t(unsigned int, sizeof(sec), optlen); - if (copy_from_sockptr(&sec, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) break; - } if (sec.level > BT_SECURITY_HIGH) { err = -EINVAL; @@ -706,10 +703,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); From patchwork Fri Apr 5 20:48:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13619408 Received: from mail-vk1-f177.google.com (mail-vk1-f177.google.com [209.85.221.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBC5A1C6A8 for ; Fri, 5 Apr 2024 20:48:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350117; cv=none; b=ZeLhemnY6n787u7eRVgGjuOS+ldSSrZxB9vEp0YNuvdM9eF0ZQxPXAtS08RHHleZ0T54IqZBFJi8EhQpPljrH52FULrYsnPM9DP/KyG5Fwkzs6FCLuAi7WJLNKGYmFh9vBARXsETKv00/twY8AL0zzmHHgmAF/JVaQ20iL/l27M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350117; c=relaxed/simple; bh=iXNizauSXh66GDHlq1xzX42c+ElqefZx2lOfRicB8yQ=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tgT6dOtZiNcmNIkEDW+w+N4+dQ0auj7SZItCctDWvTMaGr5EvIl4eKDQOXhQVLvbcYUAjiKuwg0ulEEPu/2tDfcUQ54IOqGCQxBeu5KbrraYPgDXvTa2jjIbNoshSDTPxtdAcqA7E7kN0uXOBbOgzm7yYpAme062ipR0g3letSk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cydTrfsY; arc=none smtp.client-ip=209.85.221.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cydTrfsY" Received: by mail-vk1-f177.google.com with SMTP id 71dfb90a1353d-4d88360fd7bso1857443e0c.0 for ; Fri, 05 Apr 2024 13:48:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350113; x=1712954913; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nUCzNWsmkKyWSoZrbs7OPkZEkFyQh9bUXtmeEbSQTqg=; b=cydTrfsYNPoio0S0FIT7Uw5ajZ+8GoZj6wR0fmLbhiXhWuNrqvCW0Fr7O0VmKgi7Mk mYDTiNsy4eutyROFU5QPFyjhqa1W2rswALkeYGQSHwD+6AOVQPyIrbz9hPMq3NDlny3J C6zhOAIIFUQOfpbVyXS3veBM1URSqIj+qd7MvBdOuy9RVtPdgJB7JWdfqXNcgB7eNajt Ny9QPiKRioqzMafphsgd15dyLTtVJvooN2No9lmDoBPZlaNwfnpJG+xO2uTBMekNhSgq 6k3CwKNGsWlvHi4NeZYlnSl0MkK3mczUC5HvzuVvE7h6mTJGg/NvxP5/WPNoSxfDfaIe h13g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350113; x=1712954913; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nUCzNWsmkKyWSoZrbs7OPkZEkFyQh9bUXtmeEbSQTqg=; b=pBbUzvkGNsJZp84Ek1w6q6aBs12DwTFod/Hrx1RvgKSYq/QaYepoO9HhZHaQp7Dq9t V+/KOxPnPnDb2U1DwrmIvQ7LsBHvpFM03mhGFviVQifJmuYm42mQUhhrYlakPolGKmze fCY24+hGCtg9qUeg6i31+mhidGgqk5yO2bSxS5BXq4DpcehFcN4+j2F3wN4Z/SP1ASWm zeRUIxv3/XIZfP7GzhIOyVkvxI2ZQKlbSeEl683tYMyqX9dlavZnZiu1LIKZG7I2bvSD hiH3MDyfMMRnw+BRgnXnlOzC3HugeCt2qzDC4cgyGcC7M1OgL8YxasFFKjJpzyV+ipcp NV5w== X-Gm-Message-State: AOJu0YwGLh31ASWj1QAQgxWSCyILvAwRAA376ukmzYA6H0f/yR2Mie2m QnOXOFYfav4ulp84Kk0wSmX0G+fNM8cP1SZVYY6vTaW5pfICHIVC8KZ7IE0V X-Google-Smtp-Source: AGHT+IF/gf3ZQ6p/M5LgEHlvrRtrsl+7L3fxKTIATP3Hq4PQSWEm7P0uhcvBBhvwDPdYrUuPHX+yeQ== X-Received: by 2002:a05:6122:c8c:b0:4ce:96b7:c2f6 with SMTP id ba12-20020a0561220c8c00b004ce96b7c2f6mr3553465vkb.5.1712350113541; Fri, 05 Apr 2024 13:48:33 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:32 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 3/5] Bluetooth: L2CAP: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:25 -0400 Message-ID: <20240405204827.3458726-3-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240405204827.3458726-1-luiz.dentz@gmail.com> References: <20240405204827.3458726-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz Check user input length before copying data. Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c") Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option") Signed-off-by: Eric Dumazet Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/l2cap_sock.c | 52 +++++++++++++++----------------------- 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 7846a068bf60..b8913fbd77ce 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -728,7 +728,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, struct sock *sk = sock->sk; struct l2cap_chan *chan = l2cap_pi(sk)->chan; struct l2cap_options opts; - int len, err = 0; + int err = 0; u32 opt; BT_DBG("sk %p", sk); @@ -755,11 +755,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, opts.max_tx = chan->max_tx; opts.txwin_size = chan->tx_win; - len = min_t(unsigned int, sizeof(opts), optlen); - if (copy_from_sockptr(&opts, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); + if (err) break; - } if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { err = -EINVAL; @@ -802,10 +800,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, break; case L2CAP_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt & L2CAP_LM_FIPS) { err = -EINVAL; @@ -886,7 +883,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, struct bt_security sec; struct bt_power pwr; struct l2cap_conn *conn; - int len, err = 0; + int err = 0; u32 opt; u16 mtu; u8 mode; @@ -912,11 +909,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, sec.level = BT_SECURITY_LOW; - len = min_t(unsigned int, sizeof(sec), optlen); - if (copy_from_sockptr(&sec, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) break; - } if (sec.level < BT_SECURITY_LOW || sec.level > BT_SECURITY_FIPS) { @@ -961,10 +956,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) { set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); @@ -976,10 +970,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_FLUSHABLE: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt > BT_FLUSHABLE_ON) { err = -EINVAL; @@ -1011,11 +1004,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; - len = min_t(unsigned int, sizeof(pwr), optlen); - if (copy_from_sockptr(&pwr, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); + if (err) break; - } if (pwr.force_active) set_bit(FLAG_FORCE_ACTIVE, &chan->flags); @@ -1024,10 +1015,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_CHANNEL_POLICY: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } err = -EOPNOTSUPP; break; @@ -1056,10 +1046,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); + if (err) break; - } if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && sk->sk_state == BT_CONNECTED) @@ -1087,10 +1076,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&mode, optval, sizeof(u8))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); + if (err) break; - } BT_DBG("mode %u", mode); From patchwork Fri Apr 5 20:48:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13619409 Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82413174EF6 for ; Fri, 5 Apr 2024 20:48:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350119; cv=none; b=ikwPLbNNOEg3CVdY+nqdhDUydXjQOcbk1yp3fDS+Z/uX6mLJ9v8/hwWneyxJahMq+sNCwa2MJRwWbYq5VktC0jpORGOn5mFWwh+sRooZOhkb+UiKlOIXc7o6zCWYgZu1PcR8wYQe43olcF/Qyu+lJQaH+287J4N0MOqoGwtpZ2U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350119; c=relaxed/simple; bh=ebWmWUWlJrRcVryG+Vw2AfIAuohn2aXjWy0rHv4Ff9U=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cuoG+bHK/1KXib0Mn50oVY6pr+Pk2twKor1oy/Dbe2FNqMWhqIzshH41DNhBciKm1pzcR2HN/v5ZHPmpaC+uIy5WR1ebqf5fZz5As2LQafgQTqkQ3buog0pb0d4CPV5qqP+GSaHDXEgP6TdSVS/57rNJ8nSotabF2o2hEOyf500= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NJXAh8om; arc=none smtp.client-ip=209.85.221.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NJXAh8om" Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-4dabbf19e1eso337203e0c.0 for ; Fri, 05 Apr 2024 13:48:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350116; x=1712954916; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VSAz+L9o6nEtGc+9BGwzzWHjTZpHBtpU2X0siDGpeT0=; b=NJXAh8omdUGhXdfdxiBHpHmXexEKsn5adIBCPGuG7pqM50ggBQZGabn7+5a+SCAdIg fr0yNhWuWRjDhZGUb7q0rXLBiOeVjqeaSvtWV7NKNKsiQt1X3AH2qr2bfI6CE8pc/X8w aBAHaz77kDo554jFwzbiaxjrDXFksIdOB9486SFhUPhSTznQCOaxqw3vtng271oDZ+DO IoQGo7IDkuHhHJ63leGs5oxrzRLPPwE4NE3Io7Q11roeVgUrEghjNCWe1zqQZxDYwCJ8 Q4+ZOj+Y7Ls7o27L6mNoqZ/szB/cx8M2nwhzbSNXypL3Nob7vR8Pb3RsQs7K6Nkw5V1i JLpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350116; x=1712954916; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VSAz+L9o6nEtGc+9BGwzzWHjTZpHBtpU2X0siDGpeT0=; b=NYWQU6sdmz7btEh6esMCzFJXYgK9myV19jogQAJSvU1DoRLxY0vqpII//bW02MzWhd +cEh6CWkRSPlKopPAP4WIaTaxmDmFpyEeqtR21DAyN/T3GaNny2E31S7tv9fKNAqqtSt KzcX8oafAmWF69XH2IfkWUYujJ39faA/FgrsJ2yAzL7Dn3oi0XdtzmmZbqsRn2/4D+Jv c1I3fOg6C2l1cDhEtvMCWbiE2I0z9VBcCEoeO+zQtd01qC6V6S3f9rOYLf+CzEWHuXTw NdC1Pnb3Lp6LexYWa650MVJFYMlhTHPk+Nz+mI8gIcrXcajZyZXOcstsFbojbe8J9IE2 WnJQ== X-Gm-Message-State: AOJu0Yz/NH1OgjK/Rpu026du0w3Qcn6azJX54NOOaRk5xiZsuVsRsg2v wgS/GSfZ6N9wEPhMBk9TApmvCa07gBMF7FX/UwhGSRGXGm3XC1bn6aEiBu45 X-Google-Smtp-Source: AGHT+IFAJDo/Qkj7NckjRVbx0Bg/kLUm/YEXlMW2FNrPzuBhtL74eXRKa8j6WVNIXxAbLSYuGbBQGA== X-Received: by 2002:ac5:cdd1:0:b0:4da:9bcd:b097 with SMTP id u17-20020ac5cdd1000000b004da9bcdb097mr2650481vkn.9.1712350115672; Fri, 05 Apr 2024 13:48:35 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:33 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 4/5] Bluetooth: ISO: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:26 -0400 Message-ID: <20240405204827.3458726-4-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240405204827.3458726-1-luiz.dentz@gmail.com> References: <20240405204827.3458726-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz Check user input length before copying data. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS") Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") Signed-off-by: Eric Dumazet Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/iso.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 0dda77e2e52c..5964e2e87829 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -1499,7 +1499,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen) { struct sock *sk = sock->sk; - int len, err = 0; + int err = 0; struct bt_iso_qos qos = default_qos; u32 opt; @@ -1514,10 +1514,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); @@ -1526,10 +1525,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_PKT_STATUS: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); @@ -1546,17 +1544,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, break; } - len = min_t(unsigned int, sizeof(qos), optlen); - - if (copy_from_sockptr(&qos, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); + if (err) break; - } - - if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) { - err = -EINVAL; - break; - } iso_pi(sk)->qos = qos; iso_pi(sk)->qos_user_set = true; @@ -1571,18 +1561,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, } if (optlen > sizeof(iso_pi(sk)->base)) { - err = -EOVERFLOW; + err = -EINVAL; break; } - len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen); - - if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, + optlen); + if (err) break; - } - iso_pi(sk)->base_len = len; + iso_pi(sk)->base_len = optlen; break; From patchwork Fri Apr 5 20:48:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13619410 Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com [209.85.221.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B8FC1C6A8 for ; Fri, 5 Apr 2024 20:48:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350120; cv=none; b=a2repXyYtMf2wPbTcwshBwbGv7uy8JxsOLgNYhwJGPmoy5pM1gm+h7YkCQ23RBAftg3YZXqTtIKd0/6s7uw0++Hhqeo4dqV6xofiX0nY3UETkOTMF7BEBpz9SzdBStbWqyJjb9DpdUjBITOkmecGBXFyyFtsvViFewJNE/dElLw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350120; c=relaxed/simple; bh=z8ZBwjeIXrRw07mNy+A8R9cQ54jR79d7glQoja4OIcE=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YB33zFnoLVd7617Cibw16NTFso5uCjz0Hc55iEAn4/40oyXv89VzeHWw8eQnqW0HK3SiFHTFR/IwD58M8cOiw/3XR5a3DporACzJ5Zj+UJmz3pr3qVKiuAyw4AxsBJ4qNE7ZkOXCgbZgu1B6EsXDfSYIg4yXfmycAtYy4/T4WbY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kdS740+0; arc=none smtp.client-ip=209.85.221.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kdS740+0" Received: by mail-vk1-f169.google.com with SMTP id 71dfb90a1353d-4daa8466d6fso699567e0c.2 for ; Fri, 05 Apr 2024 13:48:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350117; x=1712954917; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gEl/NKTGQ+goyt2u6Uu6Fkz+Gbi0fKWM7UDj1mD+wHk=; b=kdS740+0/v5AHP7Nvni3EZIzwNUY8y/OdP3Ebsy8d0/x+eakUZH/qT3YQkbQF3XS5f 2rowAE1ZZPlq8VsemHlkWvtutQrdQ6arA3+IFJLHk0poz4BAQczvIuCie/lJ8fHA57il llh2bVu7x6ViWAh1AY4V1InEU0WhE/aO7YnPh94/oHAOVU7DTRGRv7VHclz3K/iPgl1M KZPWWzPEbT2FpeYIMhVo4TsGMIHgpeCRTbuijBNjhEK7t5OH8ygGUnnghgWlcXGNuj+a wugG5lFxSfzk+hrKv6l/04uTAyoGTJ4cX+aIEJNIrNa42rBRpMd48ahDMW26p3gipJcg FTkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350117; x=1712954917; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gEl/NKTGQ+goyt2u6Uu6Fkz+Gbi0fKWM7UDj1mD+wHk=; b=vk3G7Itj1vPkoRBfhIFUbFC48jkt6e6npElTmwTVrCeuN4NeiOgAe9rhmtwkyC72F+ /K9OktDzEjbUghg4CwwvIpK4wfQuXwlZ4R2qenM4uSW6Tf/pu8FQ9tNVM9Q3e/NEBQil l0CiZMRtPEv23SkNemsnji/34MrZSXBZ8kIbLpy9hiUB/tBAS5PUyDxJxPuKni8oZ3W6 Jqw54PWsczNKATBA0E1PfgxJBHD+iX6ORyhTZ836p0BZQ7BrMKGsYcGy/LeB3g8lKfUF edk1J7WUSqL5PSLmWH2mUV8hwKGHFtsSasNsnzgTVJZsqpZ2N1rIbnI7WLzpMEMrAU3j lwXw== X-Gm-Message-State: AOJu0YycczFkn1x6q0QtQNH9gcLwrHVda07jdaK9eH7wKfNQJo6VMGAi 35vxBgtmf2MSSdIHT0EvaHdsuiXvk+w/od7wqykEGr/ytk0QahTtzv2cfzTM X-Google-Smtp-Source: AGHT+IFOUfWG2m2MANXP38UkAhcyGhL6eOg801rhPngbdbE0eLqkkW44auMCZ4JnLrzC2JOozxNKRQ== X-Received: by 2002:a05:6122:a0b:b0:4d3:36b9:2c26 with SMTP id 11-20020a0561220a0b00b004d336b92c26mr2936268vkn.14.1712350117304; Fri, 05 Apr 2024 13:48:37 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:36 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 5/5] Bluetooth: hci_sock: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:27 -0400 Message-ID: <20240405204827.3458726-5-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240405204827.3458726-1-luiz.dentz@gmail.com> References: <20240405204827.3458726-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz Check user input length before copying data. Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_sock.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 4ee1b976678b..703b84bd48d5 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -1946,10 +1946,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, switch (optname) { case HCI_DATA_DIR: - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } if (opt) hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; @@ -1958,10 +1957,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, break; case HCI_TIME_STAMP: - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } if (opt) hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; @@ -1979,11 +1977,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, uf.event_mask[1] = *((u32 *) f->event_mask + 1); } - len = min_t(unsigned int, len, sizeof(uf)); - if (copy_from_sockptr(&uf, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); + if (err) break; - } if (!capable(CAP_NET_RAW)) { uf.type_mask &= hci_sec_filter.type_mask; @@ -2042,10 +2038,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, goto done; } - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } hci_pi(sk)->mtu = opt; break;