forked from rpms/kernel
57 lines
2.3 KiB
Diff
57 lines
2.3 KiB
Diff
|
From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001
|
||
|
From: Ruihan Li <lrh2000@pku.edu.cn>
|
||
|
Date: Sun, 16 Apr 2023 16:14:04 +0800
|
||
|
Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in
|
||
|
hci_sock_ioctl()
|
||
|
|
||
|
Previously, capability was checked using capable(), which verified that the
|
||
|
caller of the ioctl system call had the required capability. In addition,
|
||
|
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
|
||
|
making it persistent for the socket.
|
||
|
|
||
|
However, malicious programs can abuse this approach by deliberately sharing
|
||
|
an HCI socket with a privileged task. The HCI socket will be marked as
|
||
|
trusted when the privileged task occasionally makes an ioctl call.
|
||
|
|
||
|
This problem can be solved by using sk_capable() to check capability, which
|
||
|
ensures that not only the current task but also the socket opener has the
|
||
|
specified capability, thus reducing the risk of privilege escalation
|
||
|
through the previously identified vulnerability.
|
||
|
|
||
|
Cc: stable@vger.kernel.org
|
||
|
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
|
||
|
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
|
||
|
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||
|
(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18)
|
||
|
|
||
|
CVE: CVE-2023-2002
|
||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||
|
---
|
||
|
net/bluetooth/hci_sock.c | 9 ++++++++-
|
||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
|
||
|
index d7c9ead69554..3cb8a2879ebb 100644
|
||
|
--- a/net/bluetooth/hci_sock.c
|
||
|
+++ b/net/bluetooth/hci_sock.c
|
||
|
@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
|
||
|
if (hci_sock_gen_cookie(sk)) {
|
||
|
struct sk_buff *skb;
|
||
|
|
||
|
- if (capable(CAP_NET_ADMIN))
|
||
|
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
|
||
|
+ * flag. Make sure that not only the current task but also
|
||
|
+ * the socket opener has the required capability, since
|
||
|
+ * privileged programs can be tricked into making ioctl calls
|
||
|
+ * on HCI sockets, and the socket should not be marked as
|
||
|
+ * trusted simply because the ioctl caller is privileged.
|
||
|
+ */
|
||
|
+ if (sk_capable(sk, CAP_NET_ADMIN))
|
||
|
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
|
||
|
|
||
|
/* Send event to monitor */
|
||
|
--
|
||
|
2.39.3
|
||
|
|