Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()

Message ID	20220728221145.1301230-1-luiz.dentz@gmail.com
State	New
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH] Bluetooth: ISO: Fix info leak in iso_sock_getsockopt() Date: Thu, 28 Jul 2022 15:11:45 -0700 Message-Id: <20220728221145.1301230-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Bluetooth: ISO: Fix info leak in iso_sock_getsockopt() \| expand Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()

Message ID

20220728221145.1301230-1-luiz.dentz@gmail.com

State

New

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH] Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()
Date: Thu, 28 Jul 2022 15:11:45 -0700
Message-Id: <20220728221145.1301230-1-luiz.dentz@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Bluetooth: ISO: Fix info leak in iso_sock_getsockopt() | expand

Commit Message

Luiz Augusto von Dentz July 28, 2022, 10:11 p.m. UTC

From: Dan Carpenter <dan.carpenter@oracle.com>

The C standard rules for when struct holes are zeroed out are slightly
weird.  The existing assignments might initialize everything, but GCC
is allowed to (and does sometimes) leave the struct holes uninitialized,
so instead of using yet another variable and copy the QoS settings just
use a pointer to the stored QoS settings.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/iso.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

patchwork-bot+bluetooth@kernel.org July 29, 2022, 12:10 a.m. UTC | #1

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 28 Jul 2022 15:11:45 -0700 you wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> 
> The C standard rules for when struct holes are zeroed out are slightly
> weird.  The existing assignments might initialize everything, but GCC
> is allowed to (and does sometimes) leave the struct holes uninitialized,
> so instead of using yet another variable and copy the QoS settings just
> use a pointer to the stored QoS settings.
> 
> [...]

Here is the summary with links:
  - Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()
    https://git.kernel.org/bluetooth/bluetooth-next/c/2cd0542726ba

You are awesome, thank you!

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 19d003727b50..dded22cde0d1 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1235,7 +1235,7 @@  static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
 {
 	struct sock *sk = sock->sk;
 	int len, err = 0;
-	struct bt_iso_qos qos;
+	struct bt_iso_qos *qos;
 	u8 base_len;
 	u8 *base;
 
@@ -1261,12 +1261,12 @@  static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
 
 	case BT_ISO_QOS:
 		if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
-			qos = iso_pi(sk)->conn->hcon->iso_qos;
+			qos = &iso_pi(sk)->conn->hcon->iso_qos;
 		else
-			qos = iso_pi(sk)->qos;
+			qos = &iso_pi(sk)->qos;
 
-		len = min_t(unsigned int, len, sizeof(qos));
-		if (copy_to_user(optval, (char *)&qos, len))
+		len = min_t(unsigned int, len, sizeof(*qos));
+		if (copy_to_user(optval, qos, len))
 			err = -EFAULT;
 
 		break;

Bluetooth: ISO: Fix info leak in iso_sock_getsockopt()

Commit Message

Comments

Patch