iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Ruihan Li f1e6a14d5a bluetooth: Perform careful capability checks in hci_sock_ioctl() 
commit 25c150ac103a4ebeed0319994c742a90634ddf18 upstream.

Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.

However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.

This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.

Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-05-01 08:23:23 +09:00
..
6lowpan
9p
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
2023-04-20 12:13:53 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2022-12-31 13:14:42 +01:00
8021q
net: use eth_hw_addr_set() instead of ether_addr_copy()
2022-08-31 17:16:37 +02:00
appletalk
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-29 10:12:55 +02:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:22:01 +02:00
batman-adv
batman-adv: Use netif_rx_any_context() any.
2022-07-29 17:25:07 +02:00
bluetooth
bluetooth: Perform careful capability checks in hci_sock_ioctl()
2023-05-01 08:23:23 +09:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2022-12-31 13:14:11 +01:00
bpfilter
bridge
netfilter: br_netfilter: fix recent physdev match breakage
2023-04-26 13:51:47 +02:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:48:54 +01:00
can
can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events
2023-04-13 16:48:25 +02:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:57:28 +02:00
core
skbuff: Fix a race between coalescing and releasing SKBs
2023-04-20 12:13:54 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:12:52 +01:00
dccp
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 13:51:54 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-03 12:03:51 +02:00
dns_resolver
dsa
net: dsa: tag_brcm: legacy: fix daisy-chained switches
2023-03-30 12:47:48 +02:00
ethernet
ethtool
ethtool: reset #lanes when lanes is omitted
2023-04-13 16:48:20 +02:00
hsr
hsr: ratelimit only when errors are printed
2023-04-05 11:25:02 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:59:14 +09:00
ife
ipv4
tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
2023-04-26 13:51:54 +02:00
ipv6
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 13:51:54 +02:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:31:28 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-26 09:24:50 +01:00
key
xfrm: Fix oops in __xfrm_state_delete()
2022-12-02 17:41:06 +01:00
l2tp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 13:51:54 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 14:38:53 +02:00
lapb
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:58:46 +02:00
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-04-13 16:48:17 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:37:25 +01:00
mctp
net: mctp: purge receive queues on sk destruction
2023-02-06 07:59:02 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:57:09 +01:00
mptcp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 13:51:54 +02:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:42:37 +01:00
netfilter
netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements
2023-04-26 13:51:48 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 20:59:10 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-01 08:27:27 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-09 11:26:36 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:48:49 +01:00
nsh
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:57:09 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-12 11:58:49 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:35:16 +01:00
psample
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:13:53 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-10 09:39:16 +01:00
rfkill
rfkill: make new event layout opt-in
2022-04-08 14:23:00 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:57:02 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2022-12-31 13:14:39 +01:00
sched
net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
2023-04-26 13:51:47 +02:00
sctp
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 13:51:54 +02:00
smc
net/smc: fix deadlock triggered by cancel_delayed_work_syn()
2023-03-22 13:31:26 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 19:17:11 +01:00
sunrpc
sunrpc: only free unix grouplist after RCU settles
2023-04-13 16:48:19 +02:00
switchdev
tipc
tipc: fix unexpected link reset due to discovery messages
2023-01-18 11:48:54 +01:00
tls
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
2023-03-30 12:47:43 +02:00
unix
af_unix: fix struct pid leaks in OOB support
2023-03-17 08:48:57 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2022-12-31 13:14:18 +01:00
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:20:37 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-09 11:26:40 +01:00
xdp
xsk: Add missing overflow check in xdp_umem_reg
2023-03-30 12:47:44 +02:00
xfrm
xfrm: Zero padding when dumping algos and encap
2023-04-05 11:24:52 +02:00
compat.c
devres.c
Kconfig
Makefile
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-08-31 17:16:45 +02:00
sysctl_net.c