Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp92519lqe; Fri, 5 Apr 2024 13:48:51 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX0YivPLxkcRGGUhvFV2pgBdzOy2EOAJNgf0jBG26uDE08CFwcD86qJuX944e4wR+7X+QgqACLwK8ktrJuwNr8J7/gErDbcyc4LGuyRMQ== X-Google-Smtp-Source: AGHT+IFxXbHuVygd9slILTATm1OkdKuxkgIJ5OJm3muucnrbcuAJqNChpb9j9UUchy1xvwksRktR X-Received: by 2002:a50:c30c:0:b0:56d:c295:dde3 with SMTP id a12-20020a50c30c000000b0056dc295dde3mr2052538edb.35.1712350131355; Fri, 05 Apr 2024 13:48:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712350131; cv=pass; d=google.com; s=arc-20160816; b=YE6OKWXR5cqW4wTkJ8NNySZARumC0hLvOF40c67oXrWT2SZw57Sn7LzXD27sDveQ6O 9XwCunlBLUveEw7hxU4eI5Ar1QzdrNgnNAzWKbkFZsi/9GDnp9e+PIwIaadTl7m3FPUW sVOhCd1s9a9YBMuVH+IhEB5HsbbAp84GhN0IVL2YCpSXI1IUBOOzLyuF/Zr7/D5FKGJ8 WDstCqCA3vnd6Nu1ywY/MpEay2mQ683vZqRhYjLLaRMph7Wtz/gfwNMx1n7QKCBxiArW c5RtuPJeJcPHWzi/Jt5cyqx52gxNmE05e6/TWQU300InM2HpQ2HLbI598yXX2uTMVOec /Guw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:to:from:dkim-signature; bh=gEl/NKTGQ+goyt2u6Uu6Fkz+Gbi0fKWM7UDj1mD+wHk=; fh=4lGQI6056MBa4/oovMyIYaKLn+Wz/24RGvUivMmQP8E=; b=TBVUejL1Jb4c3rFbc40KCi7dx4dgmaYkbcuHThCISXzdmSCMNo/IuOrQHhWqqgij1V JxuNRJx55axNLSGdB91d/WEEkNJk3K6Uwf4gwqCei+/n8pVYl/ocvLyHkStqUfaQUJPm fteqZJh6rS4/cB59rJlJCpGPhn5Ti60nkETNVpTYA7xf+feDZrp558PycYUGpYeZzb8r +L9JkGBJO5+dvQJfvRSqNN3TQtnViLnUkmPTEog3GmJHs1vNFtb09p75tdoRevyVFeba MUGvqdE3Dw0KTRNfG8gT3KrDZbcQOi+tlI3Zb/ARA8+B6VLalN6OZrgkkEo0yjbYi54W pr3g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kdS740+0; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-3301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3301-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id l8-20020a50d6c8000000b0056c3602fb40si1034891edj.610.2024.04.05.13.48.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-3301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kdS740+0; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-3301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3301-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D82D51F22581 for ; Fri, 5 Apr 2024 20:48:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 144C2174EF0; Fri, 5 Apr 2024 20:48:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kdS740+0" X-Original-To: linux-bluetooth@vger.kernel.org Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com [209.85.221.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B8FC1C6A8 for ; Fri, 5 Apr 2024 20:48:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350120; cv=none; b=a2repXyYtMf2wPbTcwshBwbGv7uy8JxsOLgNYhwJGPmoy5pM1gm+h7YkCQ23RBAftg3YZXqTtIKd0/6s7uw0++Hhqeo4dqV6xofiX0nY3UETkOTMF7BEBpz9SzdBStbWqyJjb9DpdUjBITOkmecGBXFyyFtsvViFewJNE/dElLw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712350120; c=relaxed/simple; bh=z8ZBwjeIXrRw07mNy+A8R9cQ54jR79d7glQoja4OIcE=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YB33zFnoLVd7617Cibw16NTFso5uCjz0Hc55iEAn4/40oyXv89VzeHWw8eQnqW0HK3SiFHTFR/IwD58M8cOiw/3XR5a3DporACzJ5Zj+UJmz3pr3qVKiuAyw4AxsBJ4qNE7ZkOXCgbZgu1B6EsXDfSYIg4yXfmycAtYy4/T4WbY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kdS740+0; arc=none smtp.client-ip=209.85.221.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-vk1-f169.google.com with SMTP id 71dfb90a1353d-4daa8466d6fso699567e0c.2 for ; Fri, 05 Apr 2024 13:48:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712350117; x=1712954917; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gEl/NKTGQ+goyt2u6Uu6Fkz+Gbi0fKWM7UDj1mD+wHk=; b=kdS740+0/v5AHP7Nvni3EZIzwNUY8y/OdP3Ebsy8d0/x+eakUZH/qT3YQkbQF3XS5f 2rowAE1ZZPlq8VsemHlkWvtutQrdQ6arA3+IFJLHk0poz4BAQczvIuCie/lJ8fHA57il llh2bVu7x6ViWAh1AY4V1InEU0WhE/aO7YnPh94/oHAOVU7DTRGRv7VHclz3K/iPgl1M KZPWWzPEbT2FpeYIMhVo4TsGMIHgpeCRTbuijBNjhEK7t5OH8ygGUnnghgWlcXGNuj+a wugG5lFxSfzk+hrKv6l/04uTAyoGTJ4cX+aIEJNIrNa42rBRpMd48ahDMW26p3gipJcg FTkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712350117; x=1712954917; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gEl/NKTGQ+goyt2u6Uu6Fkz+Gbi0fKWM7UDj1mD+wHk=; b=vk3G7Itj1vPkoRBfhIFUbFC48jkt6e6npElTmwTVrCeuN4NeiOgAe9rhmtwkyC72F+ /K9OktDzEjbUghg4CwwvIpK4wfQuXwlZ4R2qenM4uSW6Tf/pu8FQ9tNVM9Q3e/NEBQil l0CiZMRtPEv23SkNemsnji/34MrZSXBZ8kIbLpy9hiUB/tBAS5PUyDxJxPuKni8oZ3W6 Jqw54PWsczNKATBA0E1PfgxJBHD+iX6ORyhTZ836p0BZQ7BrMKGsYcGy/LeB3g8lKfUF edk1J7WUSqL5PSLmWH2mUV8hwKGHFtsSasNsnzgTVJZsqpZ2N1rIbnI7WLzpMEMrAU3j lwXw== X-Gm-Message-State: AOJu0YycczFkn1x6q0QtQNH9gcLwrHVda07jdaK9eH7wKfNQJo6VMGAi 35vxBgtmf2MSSdIHT0EvaHdsuiXvk+w/od7wqykEGr/ytk0QahTtzv2cfzTM X-Received: by 2002:a05:6122:a0b:b0:4d3:36b9:2c26 with SMTP id 11-20020a0561220a0b00b004d336b92c26mr2936268vkn.14.1712350117304; Fri, 05 Apr 2024 13:48:37 -0700 (PDT) Received: from lvondent-mobl4.. (107-146-107-067.biz.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id y72-20020a1f7d4b000000b004d8a496db23sm336004vkc.1.2024.04.05.13.48.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Apr 2024 13:48:36 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 5/5] Bluetooth: hci_sock: Fix not validating setsockopt user input Date: Fri, 5 Apr 2024 16:48:27 -0400 Message-ID: <20240405204827.3458726-5-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240405204827.3458726-1-luiz.dentz@gmail.com> References: <20240405204827.3458726-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Luiz Augusto von Dentz Check user input length before copying data. Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_sock.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 4ee1b976678b..703b84bd48d5 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -1946,10 +1946,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, switch (optname) { case HCI_DATA_DIR: - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } if (opt) hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; @@ -1958,10 +1957,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, break; case HCI_TIME_STAMP: - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } if (opt) hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; @@ -1979,11 +1977,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, uf.event_mask[1] = *((u32 *) f->event_mask + 1); } - len = min_t(unsigned int, len, sizeof(uf)); - if (copy_from_sockptr(&uf, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); + if (err) break; - } if (!capable(CAP_NET_RAW)) { uf.type_mask &= hci_sec_filter.type_mask; @@ -2042,10 +2038,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, goto done; } - if (copy_from_sockptr(&opt, optval, sizeof(opt))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); + if (err) break; - } hci_pi(sk)->mtu = opt; break; -- 2.44.0