| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <156ce25b-4344-40cd-9c72-1a45e8f77b38@davidwei.uk>
Date: Thu, 14 Nov 2024 16:42:01 -0800
From: David Wei <dw@...idwei.uk>
To: Michal Luczaj <mhal@...x.co>, Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
David Howells <dhowells@...hat.com>, Marc Dionne <marc.dionne@...istor.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>,
linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
linux-afs@...ts.infradead.org, Jakub Kicinski <kuba@...nel.org>,
David Wei <dw@...idwei.uk>
Subject: Re: [PATCH net 1/4] bluetooth: Improve setsockopt() handling of
malformed user input
On 2024-11-14 15:27, Michal Luczaj wrote:
> The bt_copy_from_sockptr() return value is being misinterpreted by most
> users: a non-zero result is mistakenly assumed to represent an error code,
> but actually indicates the number of bytes that could not be copied.
>
> Remove bt_copy_from_sockptr() and adapt callers to use
> copy_safe_from_sockptr().
>
> For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to
> scrub parts of uninitialized buffer.
>
> Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old()
> and hci_sock_setsockopt().
>
> Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input")
> Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input")
> Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input")
> Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input")
> Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input")
> Signed-off-by: Michal Luczaj <mhal@...x.co>
> ---
> include/net/bluetooth/bluetooth.h | 9 ---------
> net/bluetooth/hci_sock.c | 14 +++++++-------
> net/bluetooth/iso.c | 10 +++++-----
> net/bluetooth/l2cap_sock.c | 20 +++++++++++---------
> net/bluetooth/rfcomm/sock.c | 9 ++++-----
> net/bluetooth/sco.c | 11 ++++++-----
> 6 files changed, 33 insertions(+), 40 deletions(-)
>
...
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index f48250e3f2e103c75d5937e1608e43c123aa3297..1001fb4cc21c0ecc7bcdd3ea9041770ede4f27b8 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -629,10 +629,9 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
>
> switch (optname) {
> case RFCOMM_LM:
> - if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
> - err = -EFAULT;
> + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
> + if (err)
> break;
> - }
This will return a positive integer if copy_safe_from_sockptr() fails.
Shouldn't this be:
err = -EFAULT;
if (copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen))
break;
Powered by blists - more mailing lists