diff mbox series

bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()

Message ID 20230416080251.7717-1-lrh2000@pku.edu.cn
State Accepted
Commit b843cda0a3537507bd58a0cd8093935d3d2b0965
Headers show
Series bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() | expand

Commit Message

Ruihan Li April 16, 2023, 8:02 a.m. UTC 
Previously, channel open messages were always sent to monitors on the first
ioctl() call for unbound HCI sockets, even if the command and arguments
were completely invalid. This can leave an exploitable hole with the abuse
of invalid ioctl calls.

This commit hardens the ioctl processing logic by first checking if the
command is valid, and immediately returning with an ENOIOCTLCMD error code
if it is not. This ensures that ioctl calls with invalid commands are free
of side effects, and increases the difficulty of further exploitation by
forcing exploitation to find a way to pass a valid command first.

Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

Comments

patchwork-bot+bluetooth@kernel.org April 17, 2023, 6:30 p.m. UTC | #1 
Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 16 Apr 2023 16:02:51 +0800 you wrote:
> Previously, channel open messages were always sent to monitors on the first
> ioctl() call for unbound HCI sockets, even if the command and arguments
> were completely invalid. This can leave an exploitable hole with the abuse
> of invalid ioctl calls.
> 
> This commit hardens the ioctl processing logic by first checking if the
> command is valid, and immediately returning with an ENOIOCTLCMD error code
> if it is not. This ensures that ioctl calls with invalid commands are free
> of side effects, and increases the difficulty of further exploitation by
> forcing exploitation to find a way to pass a valid command first.
> 
> [...]

Here is the summary with links:
  - bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
    https://git.kernel.org/bluetooth/bluetooth-next/c/5612e6a8ff35

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index f597fe0db..1d249d839 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -987,6 +987,34 @@  static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
+	/* Make sure the cmd is valid before doing anything */
+	switch (cmd) {
+	case HCIGETDEVLIST:
+	case HCIGETDEVINFO:
+	case HCIGETCONNLIST:
+	case HCIDEVUP:
+	case HCIDEVDOWN:
+	case HCIDEVRESET:
+	case HCIDEVRESTAT:
+	case HCISETSCAN:
+	case HCISETAUTH:
+	case HCISETENCRYPT:
+	case HCISETPTYPE:
+	case HCISETLINKPOL:
+	case HCISETLINKMODE:
+	case HCISETACLMTU:
+	case HCISETSCOMTU:
+	case HCIINQUIRY:
+	case HCISETRAW:
+	case HCIGETCONNINFO:
+	case HCIGETAUTHINFO:
+	case HCIBLOCKADDR:
+	case HCIUNBLOCKADDR:
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
 	lock_sock(sk);
 
 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {