| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABBYNZLbR22cWaXA4YNwtE8=+VfdGYR5oN6TSJ-MwXCuP3=6hw@mail.gmail.com>
Date: Thu, 14 Nov 2024 21:15:38 -0500
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: David Wei <dw@...idwei.uk>
Cc: Michal Luczaj <mhal@...x.co>, Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
David Howells <dhowells@...hat.com>, Marc Dionne <marc.dionne@...istor.com>,
Luiz Augusto von Dentz <luiz.von.dentz@...el.com>, linux-bluetooth@...r.kernel.org,
netdev@...r.kernel.org, linux-afs@...ts.infradead.org,
Jakub Kicinski <kuba@...nel.org>
Subject: Re: [PATCH net 1/4] bluetooth: Improve setsockopt() handling of
malformed user input
Hi David,
On Thu, Nov 14, 2024 at 7:42 PM David Wei <dw@...idwei.uk> wrote:
>
> On 2024-11-14 15:27, Michal Luczaj wrote:
> > The bt_copy_from_sockptr() return value is being misinterpreted by most
> > users: a non-zero result is mistakenly assumed to represent an error code,
> > but actually indicates the number of bytes that could not be copied.
> >
> > Remove bt_copy_from_sockptr() and adapt callers to use
> > copy_safe_from_sockptr().
> >
> > For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to
> > scrub parts of uninitialized buffer.
> >
> > Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old()
> > and hci_sock_setsockopt().
> >
> > Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input")
> > Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input")
> > Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input")
> > Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input")
> > Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input")
> > Signed-off-by: Michal Luczaj <mhal@...x.co>
> > ---
> > include/net/bluetooth/bluetooth.h | 9 ---------
> > net/bluetooth/hci_sock.c | 14 +++++++-------
> > net/bluetooth/iso.c | 10 +++++-----
> > net/bluetooth/l2cap_sock.c | 20 +++++++++++---------
> > net/bluetooth/rfcomm/sock.c | 9 ++++-----
> > net/bluetooth/sco.c | 11 ++++++-----
> > 6 files changed, 33 insertions(+), 40 deletions(-)
> >
> ...
> > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> > index f48250e3f2e103c75d5937e1608e43c123aa3297..1001fb4cc21c0ecc7bcdd3ea9041770ede4f27b8 100644
> > --- a/net/bluetooth/rfcomm/sock.c
> > +++ b/net/bluetooth/rfcomm/sock.c
> > @@ -629,10 +629,9 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
> >
> > switch (optname) {
> > case RFCOMM_LM:
> > - if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
> > - err = -EFAULT;
> > + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
> > + if (err)
> > break;
> > - }
>
> This will return a positive integer if copy_safe_from_sockptr() fails.
What are you talking about copy_safe_from_sockptr never returns a
positive value:
* Returns:
* * -EINVAL: @optlen < @ksize
* * -EFAULT: access to userspace failed.
* * 0 : @ksize bytes were copied
> Shouldn't this be:
>
> err = -EFAULT;
> if (copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen))
> break;
--
Luiz Augusto von Dentz
Powered by blists - more mailing lists