Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp145128ybi; Fri, 26 Jul 2019 07:27:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqyKhO+2F2NGknC8lBKylU3u6dH0Io1YLwAeM3BFvHGVP868lxbmQvoukXwkx5UWqex8cRJH X-Received: by 2002:a63:cb4f:: with SMTP id m15mr15944667pgi.100.1564151252820; Fri, 26 Jul 2019 07:27:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564151252; cv=none; d=google.com; s=arc-20160816; b=dpEgyOTefZIWyPgb1RrTwC+AddSMUF0VnQhtPbTVJC5QNLDt9IrsxOAxDOFyf9Re/p mkZvI4kEu+VTuaIZtWKCiLD66uQsRPymd4ZcadnQjk1rGap5E7OUpt7Ewy8+LF+gh5uN sTZoUqCncvHF5Mw+GsI7RjG7NVUwFy39Um1OlDhRhQwIZoAkvG9zJi3JyEB/hKU44UuY Vp2Q6dwHRQ/0w1YGF9GcmuwYcQUsivOxOFooGBaYx/edwQoCakXnjrlEfrdE1ch9Vin2 Hp4NbPVOMGTV1OMn/tJ/VOCg1KTysOJRNqn9HUGkrHf9SyTQyMrbGyAZv90NH4lW8ctO TfAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from; bh=SHuOqZ+Zj7W9dQRuJTsIywKGdWOFXeAtGO2Um2ckDqY=; b=tm+rGm+fj/n6qfnYjrrSxilGwRTiF9qvuL3rZbcgnZpdEKyEdMxwBMUfyDz73wqbsv jEGUgVkmz/WX1Ws5i435YvQNY7RoEzBGLSpHXizkpFo72b8neGeBWqpGkUeTmFnC8l6T ZSuPfXA4yQCXLLtk2cwD5fCL0goPlDVridHocoB2G3NL10UVJrg1tcaYOpIhTWq8pap2 bMsEtTQoNJtclK4b0U9UahsUprPpHDDPrsr7dtrK6CpSxzhHqkSTqx8zLHqQ/mKSfavf Z3+cZz0wEZ5rrOOhLKouUo1B43jDQekR8Ee/6TxkS28Emo8YFhtXIUs293rUy7ap/Ob1 FNOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id br15si18498812pjb.13.2019.07.26.07.27.18; Fri, 26 Jul 2019 07:27:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727411AbfGZO0d (ORCPT + 99 others); Fri, 26 Jul 2019 10:26:33 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56390 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727403AbfGZO0d (ORCPT ); Fri, 26 Jul 2019 10:26:33 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CBABBC06511C; Fri, 26 Jul 2019 14:26:32 +0000 (UTC) Received: from rules.brq.redhat.com (unknown [10.43.2.29]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3B075FCC8; Fri, 26 Jul 2019 14:26:30 +0000 (UTC) From: Vladis Dronov To: vdronov@redhat.com, Marcel Holtmann , Johan Hedberg , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, Suraj Sumangala , Frederic Danis , Loic Poulain , Balakrishna Godavarthi , syzkaller@googlegroups.com Subject: [PATCH v2] Bluetooth: hci_ldisc: check for missing tty operations Date: Fri, 26 Jul 2019 16:26:28 +0200 Message-Id: <20190726142628.20534-1-vdronov@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 26 Jul 2019 14:26:33 +0000 (UTC) Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a check for the missing tty operations the same way it is done for write(). This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: c19483cc5e56 ("bluetooth: Fix missing NULL check") Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov --- out-of-commit-message-note: I believe, this is a good location for the check. This way we protect protocols which does not call tiocm[gs]et() or hci_uart_set_flow_control() but may change to call them in the future. Also we do not need hci_uart_has_tiocm_support() helper now. drivers/bluetooth/hci_ldisc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index c84f985f348d..4a85c51d0307 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -459,10 +459,11 @@ static int hci_uart_tty_open(struct tty_struct *tty) BT_DBG("tty %p", tty); - /* Error if the tty has no write op instead of leaving an exploitable - * hole + /* Error if the tty has no write or tiocm[gs]et ops instead of leaving + * an exploitable hole */ - if (tty->ops->write == NULL) + if (tty->ops->write == NULL || tty->ops->tiocmget == NULL || + tty->ops->tiocmset == NULL) return -EOPNOTSUPP; hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL); -- 2.21.0