mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/net/bluetooth
History
Luiz Augusto von Dentz 72473db909 Bluetooth: SCO: Fix not validating setsockopt user input 
[ Upstream commit 51eda36d33 ]

syzbot reported sco_sock_setsockopt() is copying data without
checking user input length.

BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90
net/bluetooth/sco.c:893
Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578

Fixes: ad10b1a487 ("Bluetooth: Add Bluetooth socket voice option")
Fixes: b96e9c671b ("Bluetooth: Add BT_DEFER_SETUP option to sco socket")
Fixes: 00398e1d51 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections")
Fixes: f6873401a6 ("Bluetooth: Allow setting of codec for HFP offload use case")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-04-17 11:19:30 +02:00
..
bluetooth.h Bluetooth: SCO: Fix not validating setsockopt user input 2024-04-17 11:19:30 +02:00
coredump.h Bluetooth: Add support for hci devcoredump 2023-04-23 21:57:59 -07:00
hci.h Bluetooth: Add new quirk for broken read key length on ATS2851 2024-04-13 13:07:33 +02:00
hci_core.h Bluetooth: hci_sync: Fix overwriting request callback 2024-03-26 18:19:38 -04:00
hci_mon.h Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name 2023-10-13 20:06:33 -07:00
hci_sock.h Bluetooth: Fix HCIGETDEVINFO regression 2022-09-08 14:33:53 -07:00
hci_sync.h Bluetooth: hci_core: Cancel request on command timeout 2024-03-26 18:19:37 -04:00
iso.h Bluetooth: ISO: Add broadcast support 2022-07-22 17:14:13 -07:00
l2cap.h Bluetooth: Remove BT_HS 2024-03-26 18:19:37 -04:00
mgmt.h Bluetooth: Check for ISO support in controller 2023-08-11 11:31:23 -07:00
rfcomm.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
sco.h Bluetooth: af_bluetooth: Make BT_PKT_STATUS generic 2023-08-11 11:49:16 -07:00