Re: [PATCH v5.10-v5.15] Bluetooth: RFCOMM: Fix not validating setsockopt user input

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 20 Jan 2025 09:41:41 -0500

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: a97de7bff13b1cc825c1b1344eaed8d6c2d3e695

WARNING: Author mismatch between patch and upstream commit:
Backport author: Keerthana K<keerthana.kalyanasundaram@xxxxxxxxxxxx>
Commit author: Luiz Augusto von Dentz<luiz.von.dentz@xxxxxxxxx>

Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 4ea65e2095e9)
6.1.y | Present (different SHA1: eea40d33bf93)
5.15.y | Not found

Note: The patch differs from the upstream commit:
---
1:  a97de7bff13b1 ! 1:  8599b21ee1809 Bluetooth: RFCOMM: Fix not validating setsockopt user input
    @@ Metadata
      ## Commit message ##
         Bluetooth: RFCOMM: Fix not validating setsockopt user input

    +    [ Upstream commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 ]
    +
         syzbot reported rfcomm_sock_setsockopt_old() is copying data without
         checking user input length.

    @@ Commit message
         Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
         Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
         Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    +    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
    +    Signed-off-by: Keerthana K <keerthana.kalyanasundaram@xxxxxxxxxxxx>

      ## net/bluetooth/rfcomm/sock.c ##
     @@ net/bluetooth/rfcomm/sock.c: static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Failed    |
| stable/linux-5.10.y       |  Success    |  Success   |

Build Errors:
Build error for stable/linux-5.15.y:
    net/bluetooth/rfcomm/sock.c: In function 'rfcomm_sock_setsockopt_old':
    net/bluetooth/rfcomm/sock.c:639:21: error: implicit declaration of function 'bt_copy_from_sockptr'; did you mean 'copy_from_sockptr'? [-Werror=implicit-function-declaration]
      639 |                 if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
          |                     ^~~~~~~~~~~~~~~~~~~~
          |                     copy_from_sockptr
    cc1: some warnings being treated as errors
    make[3]: *** [scripts/Makefile.build:289: net/bluetooth/rfcomm/sock.o] Error 1
    make[3]: Target '__build' not remade because of errors.
    make[2]: *** [scripts/Makefile.build:552: net/bluetooth/rfcomm] Error 2
    make[2]: Target '__build' not remade because of errors.
    make[1]: *** [scripts/Makefile.build:552: net/bluetooth] Error 2
    make[1]: Target '__build' not remade because of errors.
    make: *** [Makefile:1906: net] Error 2
    make: Target '__all' not remade because of errors.