From: Luiz Augusto von Dentz luiz.von.dentz@intel.com
stable inclusion from stable-v6.8.7 commit 8ee0c132a61df9723813c40e742dc5321824daa9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRQE CVE: CVE-2024-35965
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ]
Check user input length before copying data.
Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c") Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option") Signed-off-by: Eric Dumazet edumazet@google.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com Signed-off-by: Sasha Levin sashal@kernel.org
Conflicts: net/bluetooth/l2cap_sock.c [The conflict occurs because the commit 54db3630deff566224de6cfb0767d2d398e68ed5 ("Bluetooth: Remove BT_HS"), which is from stable inclusion-v6.8.2, is not merged] Signed-off-by: Kaixiong Yu yukaixiong@huawei.com --- include/net/bluetooth/bluetooth.h | 9 ++++++ net/bluetooth/l2cap_sock.c | 54 ++++++++++++------------------- 2 files changed, 30 insertions(+), 33 deletions(-)
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 355835639ae5..18945f650ce4 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -487,6 +487,15 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, return skb; }
+static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, + sockptr_t src, size_t src_size) +{ + if (dst_size > src_size) + return -EINVAL; + + return copy_from_sockptr(dst, src, dst_size); +} + int bt_to_errno(u16 code);
void hci_sock_set_flag(struct sock *sk, int nr); diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 756523e5402a..13afdc599b58 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -744,7 +744,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, struct sock *sk = sock->sk; struct l2cap_chan *chan = l2cap_pi(sk)->chan; struct l2cap_options opts; - int len, err = 0; + int err = 0; u32 opt;
BT_DBG("sk %p", sk); @@ -771,11 +771,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, opts.max_tx = chan->max_tx; opts.txwin_size = chan->tx_win;
- len = min_t(unsigned int, sizeof(opts), optlen); - if (copy_from_sockptr(&opts, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); + if (err) break; - }
if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { err = -EINVAL; @@ -818,10 +816,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, break;
case L2CAP_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - }
if (opt & L2CAP_LM_FIPS) { err = -EINVAL; @@ -902,7 +899,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, struct bt_security sec; struct bt_power pwr; struct l2cap_conn *conn; - int len, err = 0; + int err = 0; u32 opt; u16 mtu; u8 mode; @@ -928,11 +925,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
sec.level = BT_SECURITY_LOW;
- len = min_t(unsigned int, sizeof(sec), optlen); - if (copy_from_sockptr(&sec, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) break; - }
if (sec.level < BT_SECURITY_LOW || sec.level > BT_SECURITY_FIPS) { @@ -977,10 +972,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; }
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - }
if (opt) { set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); @@ -992,10 +986,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break;
case BT_FLUSHABLE: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - }
if (opt > BT_FLUSHABLE_ON) { err = -EINVAL; @@ -1027,11 +1020,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
- len = min_t(unsigned int, sizeof(pwr), optlen); - if (copy_from_sockptr(&pwr, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); + if (err) break; - }
if (pwr.force_active) set_bit(FLAG_FORCE_ACTIVE, &chan->flags); @@ -1040,10 +1031,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break;
case BT_CHANNEL_POLICY: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; - break; - } + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break;
if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { err = -EINVAL; @@ -1088,10 +1078,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; }
- if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); + if (err) break; - }
if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && sk->sk_state == BT_CONNECTED) @@ -1119,10 +1108,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, break; }
- if (copy_from_sockptr(&mode, optval, sizeof(u8))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); + if (err) break; - }
BT_DBG("mode %u", mode);