[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks (0878b666) · Commits · 戴 / test

The L2CAP and HCI setsockopt() implementations have a small information leak that makes it possible to leak kernel stack memory to userspace. If the optlen parameter is 0, no data will be copied by copy_from_user(), but the uninitialized stack buffer will be read and stored later. A call to getsockopt() can now retrieve the leaked information. To fix this problem the stack buffer given to copy_from_user() must be initialized with the current settings. Signed-off-by:

Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/hci_sock.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
		break;

		case HCI_FILTER:
		{
		struct hci_filter *f = &hci_pi(sk)->filter;

		uf.type_mask = f->type_mask;
		uf.opcode = f->opcode;
		uf.event_mask[0] = ((u32 ) f->event_mask + 0);
		uf.event_mask[1] = ((u32 ) f->event_mask + 1);
		}

		len = min_t(unsigned int, len, sizeof(uf));
		if (copy_from_user(&uf, optval, len)) {
		err = -EFAULT;

net/bluetooth/l2cap.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -954,11 +954,17 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch

		switch (optname) {
		case L2CAP_OPTIONS:
		opts.imtu = l2cap_pi(sk)->imtu;
		opts.omtu = l2cap_pi(sk)->omtu;
		opts.flush_to = l2cap_pi(sk)->flush_to;
		opts.mode = 0x00;

		len = min_t(unsigned int, sizeof(opts), optlen);
		if (copy_from_user((char *) &opts, optval, len)) {
		err = -EFAULT;
		break;
		}

		l2cap_pi(sk)->imtu = opts.imtu;
		l2cap_pi(sk)->omtu = opts.omtu;
		break;

Admin message