Hello, Marcel, > why is this one hidden behind CONFIG_PM? The general baud rate changes are > independent of runtime power management support. hci_bcm calls hci_uart_set_flow_control() only from functions hidden behind #ifdef-CONFIG_PM (surely this can change in the future), and so without CONFIG_PM set it cannot hit the bug (as of now). So I've hidden the check for tiocm[gs]et() behind #ifdef-CONFIG_PM too. If you tell me it is better to remove this #ifdef, I'll remove it. > And I would introduce a bool hci_uart_has_tiocm_support(struct hci_uart *) > helper. Great, I will add it to the v2 fix. I guess a good place for it is hci_ldisc.c, near hci_uart_set_flow_control(), isn't it? Best regards, Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer ----- Original Message ----- > From: "Marcel Holtmann" <marcel@xxxxxxxxxxxx> > To: "Vladis Dronov" <vdronov@xxxxxxxxxx> > Cc: "Johan Hedberg" <johan.hedberg@xxxxxxxxx>, linux-bluetooth@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, "Suraj > Sumangala" <suraj@xxxxxxxxxxx>, "Frederic Danis" <frederic.danis@xxxxxxxxxxxxxxx>, "Loic Poulain" > <loic.poulain@xxxxxxxxx>, "Balakrishna Godavarthi" <bgodavar@xxxxxxxxxxxxxx>, syzkaller@xxxxxxxxxxxxxxxx > Sent: Thursday, July 25, 2019 2:59:42 PM > Subject: Re: [PATCH] Bluetooth: hci_uart: check for missing tty operations in protocol handlers > > Hi Vladis, > > > Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() > > functions which are called by the certain HCI UART protocols (hci_ath, > > hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() > > or directly. This leads to an execution at NULL and can be triggered by > > an unprivileged user. Fix this by adding a check for the missing tty > > operations to the protocols which use them. > > > > This fixes CVE-2019-10207. > > > > Link: > > https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 > > Reported-by: syzbot+79337b501d6aa974d0f6@xxxxxxxxxxxxxxxxxxxxxxxxx > > Cc: stable@xxxxxxxxxxxxxxx # v2.6.36+ > > Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") > > Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") > > Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate > > configuration support") > > Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") > > Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm > > Bluetooth chip wcn3990") > > Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx> > > --- > > drivers/bluetooth/hci_ath.c | 3 +++ > > drivers/bluetooth/hci_bcm.c | 5 +++++ > > drivers/bluetooth/hci_intel.c | 3 +++ > > drivers/bluetooth/hci_mrvl.c | 3 +++ > > drivers/bluetooth/hci_qca.c | 4 ++++ > > 5 files changed, 18 insertions(+) > > > > diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c > > index a55be205b91a..99df8a13e47e 100644 > > --- a/drivers/bluetooth/hci_ath.c > > +++ b/drivers/bluetooth/hci_ath.c > > @@ -98,6 +98,9 @@ static int ath_open(struct hci_uart *hu) > > > > BT_DBG("hu %p", hu); > > > > + if (!hu->tty->driver->ops->tiocmget || !hu->tty->driver->ops->tiocmset) > > + return -ENOTSUPP; > > + > > ath = kzalloc(sizeof(*ath), GFP_KERNEL); > > if (!ath) > > return -ENOMEM; > > diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c > > index 8905ad2edde7..8c3e09cc341c 100644 > > --- a/drivers/bluetooth/hci_bcm.c > > +++ b/drivers/bluetooth/hci_bcm.c > > @@ -406,6 +406,11 @@ static int bcm_open(struct hci_uart *hu) > > > > bt_dev_dbg(hu->hdev, "hu %p", hu); > > > > +#ifdef CONFIG_PM > > + if (!hu->tty->driver->ops->tiocmget || !hu->tty->driver->ops->tiocmset) > > + return -ENOTSUPP; > > +#endif > > + > > why is this one hidden behind CONFIG_PM? The general baud rate changes are > independent of runtime power management support. > > And I would introduce a bool hci_uart_has_tiocm_support(struct hci_uart *) > helper. > > Regards > > Marcel
