bluetooth: Perform careful capability checks in hci_sock_ioctl()

mainline inclusion from mainline-v6.4-rc1 commit 25c150ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6WHKQ CVE: CVE-2023-2002 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=25c150ac103a4ebeed0319994c742a90634ddf18 ---------------------------------------- Previously, capability was checked using capable(), which verified that the caller of the ioctl system call had the required capability. In addition, the result of the check would be stored in the HCI_SOCK_TRUSTED flag, making it persistent for the socket. However, malicious programs can abuse this approach by deliberately sharing an HCI socket with a privileged task. The HCI socket will be marked as trusted when the privileged task occasionally makes an ioctl call. This problem can be solved by using sk_capable() to check capability, which ensures that not only the current task but also the socket opener has the specified capability, thus reducing the risk of privilege escalation through the previously identified vulnerability. Cc: stable@vger.kernel.org Fixes: f81f5b2d ("Bluetooth: Send control open and close messages for HCI raw sockets") Signed-off-by: N Ruihan Li <lrh2000@pku.edu.cn> Signed-off-by: N Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

bluetooth: Perform careful capability checks in hci_sock_ioctl()
mainline inclusion from mainline-v6.4-rc1 commit 25c150ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6WHKQ CVE: CVE-2023-2002 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=25c150ac103a4ebeed0319994c742a90634ddf18 ---------------------------------------- Previously, capability was checked using capable(), which verified that the caller of the ioctl system call had the required capability. In addition, the result of the check would be stored in the HCI_SOCK_TRUSTED flag, making it persistent for the socket. However, malicious programs can abuse this approach by deliberately sharing an HCI socket with a privileged task. The HCI socket will be marked as trusted when the privileged task occasionally makes an ioctl call. This problem can be solved by using sk_capable() to check capability, which ensures that not only the current task but also the socket opener has the specified capability, thus reducing the risk of privilege escalation through the previously identified vulnerability. Cc: stable@vger.kernel.org Fixes: f81f5b2d ("Bluetooth: Send control open and close messages for HCI raw sockets") Signed-off-by: N Ruihan Li <lrh2000@pku.edu.cn> Signed-off-by: N Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
63055a9f · Ruihan Li · Yongqiang Liu · 768851b2 · 63055a9f
隐藏空白更改
内联并排

Showing with 8 addition and 1 deletion

net/bluetooth/hci_sock.c net/bluetooth/hci_sock.c +8 -1

未找到文件。
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -990,7 +990,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 	if (hci_sock_gen_cookie(sk)) {
 		struct sk_buff *skb;

-		if (capable(CAP_NET_ADMIN))
+		/* Perform careful checks before setting the HCI_SOCK_TRUSTED
+		 * flag. Make sure that not only the current task but also
+		 * the socket opener has the required capability, since
+		 * privileged programs can be tricked into making ioctl calls
+		 * on HCI sockets, and the socket should not be marked as
+		 * trusted simply because the ioctl caller is privileged.
+		 */
+		if (sk_capable(sk, CAP_NET_ADMIN))
 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);

 		/* Send event to monitor */