Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.
However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.
This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.
Cc: [email protected]
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <[email protected]>
---
net/bluetooth/hci_sock.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 065812232..f597fe0db 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1003,7 +1003,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
if (hci_sock_gen_cookie(sk)) {
struct sk_buff *skb;
- if (capable(CAP_NET_ADMIN))
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
+ * flag. Make sure that not only the current task but also
+ * the socket opener has the required capability, since
+ * privileged programs can be tricked into making ioctl calls
+ * on HCI sockets, and the socket should not be marked as
+ * trusted simply because the ioctl caller is privileged.
+ */
+ if (sk_capable(sk, CAP_NET_ADMIN))
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
/* Send event to monitor */
--
2.40.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=740182
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.24 seconds
SubjectPrefix FAIL 0.48 seconds
BuildKernel PASS 40.50 seconds
CheckAllWarning PASS 44.13 seconds
CheckSparse PASS 49.42 seconds
CheckSmatch PASS 134.01 seconds
BuildKernel32 PASS 39.14 seconds
TestRunnerSetup PASS 559.05 seconds
TestRunner_l2cap-tester PASS 19.48 seconds
TestRunner_iso-tester PASS 25.39 seconds
TestRunner_bnep-tester PASS 6.68 seconds
TestRunner_mgmt-tester PASS 136.10 seconds
TestRunner_rfcomm-tester PASS 10.90 seconds
TestRunner_sco-tester PASS 10.13 seconds
TestRunner_ioctl-tester PASS 11.56 seconds
TestRunner_mesh-tester PASS 8.62 seconds
TestRunner_smp-tester PASS 9.85 seconds
TestRunner_userchan-tester PASS 7.30 seconds
IncrementalBuild PASS 36.44 seconds
Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Sun, 16 Apr 2023 16:14:04 +0800 you wrote:
> Previously, capability was checked using capable(), which verified that the
> caller of the ioctl system call had the required capability. In addition,
> the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
> making it persistent for the socket.
>
> However, malicious programs can abuse this approach by deliberately sharing
> an HCI socket with a privileged task. The HCI socket will be marked as
> trusted when the privileged task occasionally makes an ioctl call.
>
> [...]
Here is the summary with links:
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
https://git.kernel.org/bluetooth/bluetooth-next/c/313016d28888
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html