]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commit
bluetooth: Perform careful capability checks in hci_sock_ioctl()
authorRuihan Li <lrh2000@pku.edu.cn>
Sun, 16 Apr 2023 08:14:04 +0000 (16:14 +0800)
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Mon, 24 Apr 2023 05:05:39 +0000 (22:05 -0700)
commit25c150ac103a4ebeed0319994c742a90634ddf18
treed16ff2c490e74720b8f4bf34b285cce4c9629f43
parent25e97f7b1866e6b8503be349eeea44bb52d661ce
bluetooth: Perform careful capability checks in hci_sock_ioctl()

Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.

However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.

This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.

Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
net/bluetooth/hci_sock.c