mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-04 08:08:54 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Ruihan Li 48cdcb40d5 bluetooth: Perform careful capability checks in hci_sock_ioctl() 
commit 25c150ac10 upstream.

Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.

However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.

This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.

Cc: stable@vger.kernel.org
Fixes: f81f5b2db8 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-05-17 11:35:31 +02:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:47:31 +02:00
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:07:36 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2023-01-18 11:41:37 +01:00
8021q net: vlan: fix underflow for the real_dev refcnt 2021-12-01 09:23:34 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 14:47:41 +02:00
atm treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() 2023-04-20 12:07:32 +02:00
ax25 ax25: Fix UAF bugs in ax25 timers 2022-04-20 09:19:40 +02:00
batman-adv batman-adv: Don't skb_split skbuffs with frag_list 2022-05-18 09:47:24 +02:00
bluetooth bluetooth: Perform careful capability checks in hci_sock_ioctl() 2023-05-17 11:35:31 +02:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2023-01-18 11:41:04 +01:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:53:33 +02:00
bridge netfilter: br_netfilter: fix recent physdev match breakage 2023-04-26 11:24:01 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:32:51 +01:00
can can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access 2023-04-20 12:07:34 +02:00
ceph
core net: don't let netpoll invoke NAPI if in xmit context 2023-04-20 12:07:33 +02:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-08 19:07:51 +01:00
dccp dccp: Call inet6_destroy_sock() via sk->sk_destruct(). 2023-04-26 11:24:05 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 13:30:56 +02:00
dns_resolver
dsa net: dsa: ksz: Check return value 2022-12-14 11:30:45 +01:00
ethernet
hsr hsr: Avoid double remove of a node. 2023-01-18 11:41:09 +01:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:56:54 +09:00
ife
ipv4 tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-04-26 11:24:05 +02:00
ipv6 dccp: Call inet6_destroy_sock() via sk->sk_destruct(). 2023-04-26 11:24:05 +02:00
iucv treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() 2023-04-20 12:07:32 +02:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-25 17:42:21 +01:00
key af_key: Fix send_acquire race with pfkey_register 2022-12-08 11:22:57 +01:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 11:24:05 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 13:50:47 +02:00
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:25:28 +01:00
llc llc: only change llc->dev when bind() succeeds 2022-03-28 08:46:48 +02:00
mac80211 wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta 2023-04-20 12:07:33 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-14 11:30:45 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:50:41 +01:00
ncsi net/ncsi: check for error return from call to nla_put_u32 2022-01-05 12:37:45 +01:00
netfilter netfilter: nft_redir: correct value of inet type .maxattrs 2023-03-22 13:28:04 +01:00
netlabel netlabel: fix out-of-bounds memory accesses 2022-04-15 14:18:35 +02:00
netlink netlink: annotate data races around sk_state 2023-02-06 07:52:45 +01:00
netrom netrom: Fix use-after-free caused by accept on already connected socket 2023-02-22 12:50:24 +01:00
nfc nfc: change order inside nfc_se_io error path 2023-03-17 08:32:48 +01:00
nsh
openvswitch net: openvswitch: fix flow memory leak in ovs_flow_cmd_new 2023-02-22 12:50:25 +01:00
packet net/af_packet: make sure to pull mac header 2023-01-18 11:41:45 +01:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 15:23:33 +01:00
psample
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 10:08:12 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-11 16:43:41 +01:00
rfkill
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:50:34 +01:00
rxrpc rxrpc: Fix missing unlock in rxrpc_do_sendmsg() 2023-01-18 11:41:33 +01:00
sched net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg 2023-04-26 11:24:01 +02:00
sctp sctp: Call inet6_destroy_sock() via sk->sk_destruct(). 2023-04-26 11:24:05 +02:00
smc net/smc: fix fallback failed while sendmsg with fastopen 2023-03-17 08:32:51 +01:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-17 09:48:48 +01:00
sunrpc sunrpc: only free unix grouplist after RCU settles 2023-04-20 12:07:33 +02:00
switchdev net: switchdev: do not propagate bridge updates across bridges 2021-10-27 09:54:24 +02:00
tipc tipc: call tipc_lxc_xmit without holding node_read_lock 2023-01-18 11:42:06 +01:00
tls net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() 2023-04-05 11:16:36 +02:00
unix af_unix: Get user_ns from in_skb in unix_diag_get_exact(). 2022-12-14 11:30:44 +01:00
vmw_vsock net: vmw_vsock: vmci: Check memcpy_from_msg() 2023-01-18 11:41:13 +01:00
wimax
wireless wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" 2023-03-13 10:18:25 +01:00
x25 net/x25: Fix to not accept on connected socket 2023-02-22 12:50:26 +01:00
xdp Revert "xsk: Do not sleep in poll() when need_wakeup set" 2021-12-22 09:29:40 +01:00
xfrm xfrm: Allow transport-mode states with AF_UNSPEC selector 2023-03-22 13:28:03 +01:00
compat.c net: Return the correct errno code 2021-06-18 09:59:00 +02:00
Kconfig
Makefile
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-09-05 10:27:42 +02:00
sysctl_net.c