| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABBYNZJ+brhf-h7HU63vRah9uBNx3UT=kxTQjr74vuJRG+3B0g@mail.gmail.com>
Date: Mon, 12 Jan 2026 11:39:18 -0500
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: Jerry Wu <w.7erry@...mail.com>
Cc: marcel@...tmann.org, johan.hedberg@...il.com,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: Perform careful capability checks in hci_sock_bind()
Hi Jerry,
On Thu, Jan 8, 2026 at 8:57 PM Jerry Wu <w.7erry@...mail.com> wrote:
>
> Previously, the HCI_SOCK_TRUSTED flag was set in hci_sock_bind() by
> checking capable(CAP_NET_ADMIN). This function verifies that the
> current caller of the bind system call has the required capability.
>
> However, this approach is vulnerable to a "confused deputy" attack. A
> malicious unprivileged program can open an HCI socket and deliberately
> share it with a privileged task (e.g., via file descriptor passing).
> If the privileged task is tricked into calling bind() on that socket,
> the capable() check will pass, and the socket will be marked as
> trusted. The original unprivileged program then retains access to this
> now-trusted socket, allowing it to perform privileged operations.
>
> This issue mirrors the vulnerability previously identified and fixed
> in hci_sock_ioctl().
>
> Fix this by using sk_capable() instead of capable(). This ensures that
> both the task performing the bind and the socket opener must have the
> CAP_NET_ADMIN capability before the socket is granted the
> HCI_SOCK_TRUSTED status.
>
> Fixes: f4cdbb3f25c1 ("Bluetooth: Handle HCI raw socket transition from unbound to bound")
> Signed-off-by: Jerry Wu <w.7erry@...mail.com>
> ---
> Commit 25c150ac103a ("bluetooth: Perform careful capability checks in hci_sock_ioctl()")
> fixed CVE-2023-2002. hci_sock_bind contains a similar logic. Would it make sense to
> fix it in the same way?
>
> Thank you for spending time reading this. Apologies if I missed anything.
>
> net/bluetooth/hci_sock.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
> index 4e7bf63af9c5..2bab2532dd9a 100644
> --- a/net/bluetooth/hci_sock.c
> +++ b/net/bluetooth/hci_sock.c
> @@ -1259,7 +1259,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr_unsized *addr,
> }
> }
>
> - if (capable(CAP_NET_ADMIN))
> + if (sk_capable(CAP_NET_ADMIN))
> hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
>
> hci_pi(sk)->hdev = hdev;
> @@ -1427,7 +1427,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr_unsized *addr,
> * untrusted users the interface is restricted and
> * also only untrusted events are sent.
> */
> - if (capable(CAP_NET_ADMIN))
> + if (sk_capable(CAP_NET_ADMIN))
> hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
>
> hci_pi(sk)->channel = haddr.hci_channel;
> --
> 2.52.0
Seems like you didn't build test this before sending, it should have
been sk_capable(sk, CAP_NET_ADMIN).
--
Luiz Augusto von Dentz
Powered by blists - more mailing lists