Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp2617509rwe; Sun, 16 Apr 2023 01:32:59 -0700 (PDT) X-Google-Smtp-Source: AKy350a44+zvYdDh00ItfTmpyhXVU3a87Qu1txjt1ObR9E0XEFa9kU0hDRzmpZVDl+6JJvZN2tuL X-Received: by 2002:a17:90a:8a04:b0:247:14ac:4d3a with SMTP id w4-20020a17090a8a0400b0024714ac4d3amr12351042pjn.20.1681633978816; Sun, 16 Apr 2023 01:32:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681633978; cv=none; d=google.com; s=arc-20160816; b=0g4oRiEdJmzDcUGLvg07wVo78NIVcY/eBrxlShvSGY7dUqUaaKc9zBqI7GQlmvFiZM NNTAg9MD2qoJjANWOJp2FxPBFdvdcklwcWuHK4KDcoH1d2z0xT78iDbR+eFaMlPhr/6N rj8qSDqzaIUsPiCrrBklYdLSWA0Xky1xwpPM4TmjnWHcUpRYzIh4fys8jcIjfabLGFr8 F4Prlu/So4lCRGHLj5WMsZ0/L/Vb3xOWdJpDtdtt1+IP4ArKrN+lcaUxI/cVCAQCizmg S+z9bIbb23unL9XRjMJxvIKOzmo7WTX6q1O84NC/VymZFSGizQPq85HS6RNiH974bZoq pSKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=a8V5wgMtbKYMKh9zRQcL9Mqud3D104cmGrGY1YMosCk=; b=ZWLiZ9+8hPRaVViWXDToJUUSHFWavuNyth8nD4Ghchsi+6XnXKKwldfuYU1yiG8c/1 pnl3D3Mj97dztOcSBtEWo9ehWRdaP8YaJHvaEsLm/bwcqBcIB/BzWzDSBgkzUxXSwm6d 4fKVbudplbHwAZmysd5PnKkoLdkghTGr8x4FGtAtYN8HH5s9vIzt+WXdAtR5sBgaKqXN 8LIPkl2ev7fPWIsw1+qP7q2l+kgWQT2do5I10SV5HBMQbPvvajcg4CYWbUE2GFnOQEgy pj3jW7NGJhEz2ymRAQM1c2EgVUjfC++Z/0ODKUzbjbHjOdrovLpZ6PmzeDunXnP9BHWO 8x0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=ZPV104H4; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d12-20020a17090ab30c00b00246943aa09bsi11550130pjr.79.2023.04.16.01.32.34; Sun, 16 Apr 2023 01:32:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=ZPV104H4; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230055AbjDPIDj (ORCPT + 99 others); Sun, 16 Apr 2023 04:03:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229842AbjDPIDj (ORCPT ); Sun, 16 Apr 2023 04:03:39 -0400 X-Greylist: delayed 160 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 16 Apr 2023 01:03:32 PDT Received: from zg8tmtyylji0my4xnjqumte4.icoremail.net (zg8tmtyylji0my4xnjqumte4.icoremail.net [162.243.164.118]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CB0FF1BD2 for ; Sun, 16 Apr 2023 01:03:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=a8V5wgMtbK YMKh9zRQcL9Mqud3D104cmGrGY1YMosCk=; b=ZPV104H4AS5n84g+LGRCPb4Hlo nRneDIxzeS8GVXFdXZXw+z8C6xEfacBCNO33LPcjtWHgWDnI64EGFCqH7K3K6MXS c3M32Y771NSt6rIXRPTnG8cRMEEC8eQyG183vQ940RY4hBCliE19Z0xalnjdJqaH 5bqEknzrbNCbWtgEU= Received: from localhost.localdomain (unknown [10.7.101.92]) by front01 (Coremail) with SMTP id 5oFpogCHjIzEqztk1vHHDg--.8498S2; Sun, 16 Apr 2023 16:03:22 +0800 (CST) From: Ruihan Li To: linux-bluetooth@vger.kernel.org Cc: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Ruihan Li Subject: [PATCH] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Date: Sun, 16 Apr 2023 16:02:51 +0800 Message-Id: <20230416080251.7717-1-lrh2000@pku.edu.cn> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: 5oFpogCHjIzEqztk1vHHDg--.8498S2 X-Coremail-Antispam: 1UD129KBjvJXoW7trWDCryUur4rGF1fJr4UCFg_yoW8Cryxpr W2vFs5XryUJFyxXr1fJa1IgF95AryvgrW7KrZFq343urWqy3Wvvw4FkFyFq345GrZ7Gr1S vFW7WFy7GF17GFDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9j1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2vYz4IE04k24V AvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xf McIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7 v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkIecxEwVCm -wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6cx26w4UJr1UMxC20s026xCaFVCjc4 AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE 17CEb7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMI IF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4l IxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvf C2KfnxnUUI43ZEXa7VU1c4S5UUUUU== X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEBBVPy77oXEgAGsw X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Previously, channel open messages were always sent to monitors on the first ioctl() call for unbound HCI sockets, even if the command and arguments were completely invalid. This can leave an exploitable hole with the abuse of invalid ioctl calls. This commit hardens the ioctl processing logic by first checking if the command is valid, and immediately returning with an ENOIOCTLCMD error code if it is not. This ensures that ioctl calls with invalid commands are free of side effects, and increases the difficulty of further exploitation by forcing exploitation to find a way to pass a valid command first. Signed-off-by: Ruihan Li Co-developed-by: Marcel Holtmann Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_sock.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index f597fe0db..1d249d839 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -987,6 +987,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, BT_DBG("cmd %x arg %lx", cmd, arg); + /* Make sure the cmd is valid before doing anything */ + switch (cmd) { + case HCIGETDEVLIST: + case HCIGETDEVINFO: + case HCIGETCONNLIST: + case HCIDEVUP: + case HCIDEVDOWN: + case HCIDEVRESET: + case HCIDEVRESTAT: + case HCISETSCAN: + case HCISETAUTH: + case HCISETENCRYPT: + case HCISETPTYPE: + case HCISETLINKPOL: + case HCISETLINKMODE: + case HCISETACLMTU: + case HCISETSCOMTU: + case HCIINQUIRY: + case HCISETRAW: + case HCIGETCONNINFO: + case HCIGETAUTHINFO: + case HCIBLOCKADDR: + case HCIUNBLOCKADDR: + break; + default: + return -ENOIOCTLCMD; + } + lock_sock(sk); if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { -- 2.40.0