Re: [PATCH net 1/4] bluetooth: Improve setsockopt() handling of malformed user input

Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> · Thu, 14 Nov 2024 21:15:38 -0500

Hi David,

On Thu, Nov 14, 2024 at 7:42 PM David Wei <dw@xxxxxxxxxxx> wrote:
>
> On 2024-11-14 15:27, Michal Luczaj wrote:
> > The bt_copy_from_sockptr() return value is being misinterpreted by most
> > users: a non-zero result is mistakenly assumed to represent an error code,
> > but actually indicates the number of bytes that could not be copied.
> >
> > Remove bt_copy_from_sockptr() and adapt callers to use
> > copy_safe_from_sockptr().
> >
> > For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to
> > scrub parts of uninitialized buffer.
> >
> > Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old()
> > and hci_sock_setsockopt().
> >
> > Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input")
> > Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input")
> > Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input")
> > Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input")
> > Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input")
> > Signed-off-by: Michal Luczaj <mhal@xxxxxxx>
> > ---
> >  include/net/bluetooth/bluetooth.h |  9 ---------
> >  net/bluetooth/hci_sock.c          | 14 +++++++-------
> >  net/bluetooth/iso.c               | 10 +++++-----
> >  net/bluetooth/l2cap_sock.c        | 20 +++++++++++---------
> >  net/bluetooth/rfcomm/sock.c       |  9 ++++-----
> >  net/bluetooth/sco.c               | 11 ++++++-----
> >  6 files changed, 33 insertions(+), 40 deletions(-)
> >
> ...
> > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> > index f48250e3f2e103c75d5937e1608e43c123aa3297..1001fb4cc21c0ecc7bcdd3ea9041770ede4f27b8 100644
> > --- a/net/bluetooth/rfcomm/sock.c
> > +++ b/net/bluetooth/rfcomm/sock.c
> > @@ -629,10 +629,9 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
> >
> >       switch (optname) {
> >       case RFCOMM_LM:
> > -             if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
> > -                     err = -EFAULT;
> > +             err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
> > +             if (err)
> >                       break;
> > -             }
>
> This will return a positive integer if copy_safe_from_sockptr() fails.

What are you talking about copy_safe_from_sockptr never returns a
positive value:

 * Returns:
 *  * -EINVAL: @optlen < @ksize
 *  * -EFAULT: access to userspace failed.
 *  * 0 : @ksize bytes were copied

> Shouldn't this be:
>
> err = -EFAULT;
> if (copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen))
>         break;

-- 
Luiz Augusto von Dentz