Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp119640pxb; Tue, 15 Feb 2022 06:44:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJybhzxnbzdYtrsaYw/rWf2jgEpenOJhrn0Hp3wf7VhsVbZJYM7I0IEVka6O5OXgi/ecAGEp X-Received: by 2002:a17:906:dc90:: with SMTP id cs16mr3305207ejc.295.1644936244547; Tue, 15 Feb 2022 06:44:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644936244; cv=none; d=google.com; s=arc-20160816; b=T0pj1VifKbKqKI7vKzVyy85bLzesTNm1MGGHUlUYnssiYwcw8C1iG5D1b3C/G+UMeY 1DbFOROFWSAfnn5GIZx1kwY9vSUwHXXFilCE/+wdw7EhbY+TJ1LtwY0xCbDio/sa1fGU Jrh19cE439JPg16B1INX0grEHTBNpGR5tTX6stcwHYKnITn9tHmt0O9ipOWX5UEQS1lB 7KjGTuMrmSqJ4Ez6nqIDMXGk1Y25myZbBy5qqDxJkFxreyYMPAY15nefjRdhj1lpTWMe wtwLOfPgc6a4UzKGrVYD7u65AsiENAxZHWgaxGMDXvIQkQdiPC/l9MkBi5LNUonV6PLh EU/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=R9vhyJh6Jc7bd+DxxGEFFu5LM3pzvH0HiXPe/xtg9ak=; b=lLwEbUk4k2kYhJgHf4g27ogAqa2/9wJeljRUHBXPTvjg5Yqs8qTwAcK3JoX2yIN5Nu hajXrLMNlNECp+3iJ9tiUN8LTyD0sEUOru5XnNLSSIcCD6z6aKiDHUia3RGjfknuvOe9 spmrRHtqZcXO/Lfv0GAkp2V8IXtynJATj0akDlKdpCCLUrTFpzI8y8Z/8vrcItKbJCsH qABj33mCLWnu7e48VitqB/DsHCefmeM4MGRogl1rg9mtng49PPu5F8nx+Vd6I4gURhT1 ASlP9/MRuzyMRwHA0NSu/Lvb7dBInxFVA/HQbqhx/vX/5tfX0zVeB1frQpZcRZv1gQXG YhNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=j7aOCyl6; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t5si605187edd.190.2022.02.15.06.43.23; Tue, 15 Feb 2022 06:44:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=j7aOCyl6; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237629AbiBOMiT (ORCPT + 99 others); Tue, 15 Feb 2022 07:38:19 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:46072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229824AbiBOMiR (ORCPT ); Tue, 15 Feb 2022 07:38:17 -0500 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2F7E69CF8; Tue, 15 Feb 2022 04:38:07 -0800 (PST) Received: by mail-yb1-xb2c.google.com with SMTP id l125so22431923ybl.4; Tue, 15 Feb 2022 04:38:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=R9vhyJh6Jc7bd+DxxGEFFu5LM3pzvH0HiXPe/xtg9ak=; b=j7aOCyl69mieXDVfXhDqtYhyCXIEcbhSttf4Qv8UGwG3QaMnaE5Pv4fRrhD3gOiJSR U6XNbfgEzWVqeZAi8HzM7WViDjr68tjGJqbYGT8V8YIfVopSI8JjTaLhAfSZ6PIvEUM0 k07U4CZNEAThrzGJow8AQ+b1L5Pn7W+oqmuQmXrglTX0ovIciXtmSlBbeCO8b/Oq91P+ OgZsTkCpV1nSJLf3RlrZlOTRc1/AjZ+G5tHN84fktjd5WxRkdvXI8Y253Ez8KGyKcohh zyynOyyfESOYI/AaOl1xZBhNSwANoK+JgEbENXAc0LHnQVUjUTuufBGo9wIN+X/9v7ai g4vQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=R9vhyJh6Jc7bd+DxxGEFFu5LM3pzvH0HiXPe/xtg9ak=; b=fnXXl6pcw7xxmEXTjBc1J7qA868TiZtQzcUT4GCzjLHC1UEoX0x+MJSjULgjV8n80s Pnj5kqdwiAe3JzmXFyHaP7QGdAHOIdv6frlcRNGBrRAhTJR9pIU8bqIoCkNQzHBahqWt p/QwevD1x4iQf1qSmks3U4u5Wzcvvi3Aa3HuX5GD4Idk87N5QOc0UqoR3d1zJgawtk7B nNCBB+1GBdevDAY0zRaV5iJ0PFDccqyxINaGjhD+zSywhYWccH8e9c5F+xg1x2zob3k4 frKQJLthV1z0XVcJum/e9TzAZNRTRPtZA1cPp0fTvRojUqImBKdnGo/1P46C1Wce6lDY aj/Q== X-Gm-Message-State: AOAM5305ehF6I1BjN7nu8PvK/v/aTMWyICQ+ZmorUhRifblG5VxbljV4 72LmJoBGaP20bNwqGByH+SGjhMeYDstdATklmg== X-Received: by 2002:a25:610f:: with SMTP id v15mr1768318ybb.236.1644928686895; Tue, 15 Feb 2022 04:38:06 -0800 (PST) MIME-Version: 1.0 From: Jinmeng Zhou Date: Tue, 15 Feb 2022 20:37:56 +0800 Message-ID: Subject: 4 missing check bugs To: marcel@holtmann.org, johan.hedberg@gmail.com, davem@davemloft.net, Jakub Kicinski Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, shenwenbosmile@gmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Dear maintainers, Hi, our tool finds several missing check bugs on Linux kernel v4.18.5 using static analysis. We are looking forward to having more experts' eyes on this. Thank you! Before calling sk_alloc() with SOCK_RAW type, there should be a permission check, ns_capable(ns,CAP_NET_RAW). For example, static int xsk_create(struct net *net, struct socket *sock, int protocol, int kern) { struct xdp_sock *xs; struct sock *sk; if (!ns_capable(net->user_ns, CAP_NET_RAW)) return -EPERM; if (sock->type != SOCK_RAW) return -ESOCKTNOSUPPORT; ... sk = sk_alloc(net, PF_XDP, GFP_KERNEL, &xsk_proto, kern); if (!sk) return -ENOBUFS; ... } We find 4 missing check bugs. The functions that miss permission checks in v4.18.5: net/bluetooth/hidp/sock.c static int hidp_sock_create(struct net *net, struct socket *sock, int protocol, int kern) { struct sock *sk; BT_DBG("sock %p", sock); if (sock->type != SOCK_RAW) return -ESOCKTNOSUPPORT; sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hidp_proto, kern); if (!sk) return -ENOMEM; ... } net/bluetooth/cmtp/sock.c static int cmtp_sock_create(struct net *net, struct socket *sock, int protocol, int kern) { struct sock *sk; BT_DBG("sock %p", sock); if (sock->type != SOCK_RAW) return -ESOCKTNOSUPPORT; sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &cmtp_proto, kern); if (!sk) return -ENOMEM; ... } net/bluetooth/hci_sock.c static int hci_sock_create(struct net *net, struct socket *sock, int protocol, int kern) { struct sock *sk; BT_DBG("sock %p", sock); if (sock->type != SOCK_RAW) return -ESOCKTNOSUPPORT; sock->ops = &hci_sock_ops; sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern); if (!sk) return -ENOMEM; ... } /net/bluetooth/bnep/sock.c static int bnep_sock_create(struct net *net, struct socket *sock, int protocol, int kern) { struct sock *sk; BT_DBG("sock %p", sock); if (sock->type != SOCK_RAW) return -ESOCKTNOSUPPORT; sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &bnep_proto, kern); if (!sk) return -ENOMEM; ... } Thanks again! Best regards, Jinmeng Zhou