linux/net
Ruihan Li 25c150ac10 bluetooth: Perform careful capability checks in hci_sock_ioctl()
Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.

However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.

This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.

Cc: stable@vger.kernel.org
Fixes: f81f5b2db8 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-04-23 22:05:39 -07:00
..
6lowpan 6lowpan: Remove redundant initialisation. 2023-03-29 08:22:52 +01:00
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-02 01:00:31 +00:00
802
8021q vlan: Add MACsec offload operations for VLAN interface 2023-04-21 08:22:14 +01:00
appletalk
atm net: annotate lockless accesses to sk->sk_err_soft 2023-03-17 08:25:05 +00:00
ax25
batman-adv net: vlan: introduce skb_vlan_eth_hdr() 2023-04-23 14:16:44 +01:00
bluetooth bluetooth: Perform careful capability checks in hci_sock_ioctl() 2023-04-23 22:05:39 -07:00
bpf bpf: add test_run support for netfilter program type 2023-04-21 11:34:50 -07:00
bpfilter
bridge bridge: Allow setting per-{Port, VLAN} neighbor suppression state 2023-04-21 08:25:50 +01:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-02 22:22:07 -08:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-06 12:01:20 -07:00
ceph Networking changes for 6.3. 2023-02-21 18:24:12 -08:00
core net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX 2023-04-23 14:16:45 +01:00
dcb net: dcb: add helper functions to retrieve PCP and DSCP rewrite maps 2023-01-20 09:33:22 +00:00
dccp netfilter: keep conntrack reference until IPsecv6 policy checks are done 2023-03-22 21:50:23 +01:00
devlink devlink: drop leftover duplicate/unused code 2023-02-20 11:38:35 +00:00
dns_resolver
dsa net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX 2023-04-23 14:16:45 +01:00
ethernet
ethtool net: ethtool: mm: sanitize some UAPI configurations 2023-04-20 20:03:21 -07:00
handshake net/handshake: Fix section mismatch in handshake_exit 2023-04-21 20:24:57 -07:00
hsr hsr: ratelimit only when errors are printed 2023-03-16 21:11:03 -07:00
ieee802154 net: ieee802154: remove an unnecessary null pointer check 2023-03-17 09:13:53 +01:00
ife
ipv4 net: dst: fix missing initialization of rt_uncached 2023-04-21 20:26:56 -07:00
ipv6 net: dst: fix missing initialization of rt_uncached 2023-04-21 20:26:56 -07:00
iucv net/iucv: Fix size of interrupt data 2023-03-16 17:34:40 -07:00
kcm net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
key af_key: Fix heap information leak 2023-02-13 09:30:14 +00:00
l2tp l2tp: generate correct module alias strings 2023-03-31 09:25:12 +01:00
l3mdev
lapb
llc
mac80211 wireless-next patches for v6.4 2023-04-21 07:35:51 -07:00
mac802154 Merge tag 'ieee802154-for-net-next-2023-02-20' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next 2023-02-20 16:40:52 -08:00
mctp mctp: remove MODULE_LICENSE in non-modules 2023-03-09 23:06:21 -08:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-15 10:26:37 +00:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-20 16:29:51 -07:00
ncsi net: Use of_property_read_bool() for boolean properties 2023-03-16 17:41:28 +00:00
netfilter bpf-next-for-netdev 2023-04-21 20:32:37 -07:00
netlabel
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-06 12:01:20 -07:00
netrom netrom: Fix use-after-free caused by accept on already connected socket 2023-01-30 07:30:47 +00:00
nfc nfc: change order inside nfc_se_io error path 2023-03-07 13:37:05 -08:00
nsh
openvswitch net: openvswitch: fix race on port output 2023-04-07 19:42:53 -07:00
packet net/packet: support mergeable feature of virtio 2023-04-21 12:01:58 +01:00
phonet net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
psample
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-13 09:35:30 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-02-13 09:33:39 +00:00
rfkill rfkill: Use sysfs_emit() to instead of sprintf() 2023-02-14 12:21:14 +01:00
rose net/rose: Fix to not accept on connected socket 2023-01-28 00:19:57 -08:00
rxrpc rxrpc: Replace fake flex-array with flexible-array member 2023-04-23 13:36:05 +01:00
sched net/sched: act_pedit: rate limit datapath messages 2023-04-23 18:35:27 +01:00
sctp sctp: delete the nested flexible array hmac 2023-04-21 08:19:30 +01:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-13 16:04:28 -07:00
strparser
sunrpc nfsd-6.3 fixes: 2023-04-19 07:29:33 -07:00
switchdev
tipc Networking changes for 6.3. 2023-02-21 18:24:12 -08:00
tls net: tls: fix device-offloaded sendpage straddling records 2023-03-06 13:26:16 -08:00
unix af_unix: annotate lockless accesses to sk->sk_err 2023-03-17 08:25:05 +00:00
vmw_vsock vsock/loopback: don't disable irqs for queue access 2023-04-14 11:04:04 +01:00
wireless Merge wireless/main into wireless-next/main 2023-03-31 11:07:40 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-01-25 09:51:04 +00:00
xdp bpf-next-for-netdev 2023-04-13 16:43:38 -07:00
xfrm ipsec-next-2023-04-19 2023-04-19 18:46:17 -07:00
compat.c net/compat: Update msg_control_is_user when setting a kernel pointer 2023-04-14 11:09:27 +01:00
devres.c
Kconfig net/handshake: Add Kunit tests for the handshake consumer API 2023-04-19 18:48:48 -07:00
Kconfig.debug
Makefile net/handshake: Create a NETLINK service for handling handshake requests 2023-04-19 18:48:48 -07:00
socket.c net: skbuff: hide wifi_acked when CONFIG_WIRELESS not set 2023-04-19 13:04:30 +01:00
sysctl_net.c