[PATCH openEuler-22.03-LTS-SP1] Bluetooth: L2CAP: Fix not validating setsockopt user input

14 Jun 2024

From: Luiz Augusto von Dentz luiz.von.dentz@intel.com
stable inclusion
from stable-v6.8.7
commit 8ee0c132a61df9723813c40e742dc5321824daa9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRQE
CVE: CVE-2024-35965
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ]
Check user input length before copying data.
Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c")
Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option")
Signed-off-by: Eric Dumazet edumazet@google.com
Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com
Signed-off-by: Sasha Levin sashal@kernel.org
Conflicts:
        net/bluetooth/l2cap_sock.c
[The conflict occurs because the commit 54db3630deff566224de6cfb0767d2d398e68ed5 ("Bluetooth: Remove BT_HS"), which is from stable inclusion-v6.8.2, is not merged.]
Signed-off-by: Kaixiong Yu yukaixiong@huawei.com
---
 net/bluetooth/l2cap_sock.c | 52 +++++++++++++++-----------------------
 1 file changed, 20 insertions(+), 32 deletions(-)

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 63bfbb5918fe..c91f4c190bbc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -744,7 +744,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
    struct sock *sk = sock->sk;
    struct l2cap_chan *chan = l2cap_pi(sk)->chan;
    struct l2cap_options opts;
-	int len, err = 0;
+	int err = 0;
    u32 opt;
BT_DBG("sk %p", sk);
@@ -771,11 +771,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
    	opts.max_tx   = chan->max_tx;
    	opts.txwin_size = chan->tx_win;
-		len = min_t(unsigned int, sizeof(opts), optlen);
-		if (copy_from_sockptr(&opts, optval, len)) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
+		if (err)
    		break;
-		}
if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
    		err = -EINVAL;
@@ -818,10 +816,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
    	break;
case L2CAP_LM:
-		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+		if (err)
    		break;
-		}
if (opt & L2CAP_LM_FIPS) {
    		err = -EINVAL;
@@ -902,7 +899,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    struct bt_security sec;
    struct bt_power pwr;
    struct l2cap_conn *conn;
-	int len, err = 0;
+	int err = 0;
    u32 opt;
    u16 mtu;
    u8 mode;
@@ -928,11 +925,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
sec.level = BT_SECURITY_LOW;
-		len = min_t(unsigned int, sizeof(sec), optlen);
-		if (copy_from_sockptr(&sec, optval, len)) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
+		if (err)
    		break;
-		}
if (sec.level < BT_SECURITY_LOW ||
    	    sec.level > BT_SECURITY_FIPS) {
@@ -977,10 +972,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    		break;
    	}
-		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+		if (err)
    		break;
-		}
if (opt) {
    		set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
@@ -992,10 +986,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    	break;
case BT_FLUSHABLE:
-		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+		if (err)
    		break;
-		}
if (opt > BT_FLUSHABLE_ON) {
    		err = -EINVAL;
@@ -1027,11 +1020,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
-		len = min_t(unsigned int, sizeof(pwr), optlen);
-		if (copy_from_sockptr(&pwr, optval, len)) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
+		if (err)
    		break;
-		}
if (pwr.force_active)
    		set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
@@ -1065,10 +1056,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    	break;
case BT_SNDMTU:
-		if (!bdaddr_type_is_le(chan->src_type)) {
-			err = -EINVAL;
+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+		if (err)
    		break;
-		}
/* Setting is not supported as it's the remote side that
    	 * decides this.
@@ -1088,10 +1078,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    		break;
    	}
-		if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
+		if (err)
    		break;
-		}
if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
    	    sk->sk_state == BT_CONNECTED)
@@ -1119,10 +1108,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
    		break;
    	}
-		if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
-			err = -EFAULT;
+		err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
+		if (err)
    		break;
-		}
BT_DBG("mode %u", mode);
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-22.03-LTS-SP1] Bluetooth: L2CAP: Fix not validating setsockopt user input