[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
The L2CAP and HCI setsockopt() implementations have a small information leak that makes it possible to leak kernel stack memory to userspace. If the optlen parameter is 0, no data will be copied by copy_from_user(), but the uninitialized stack buffer will be read and stored later. A call to getsockopt() can now retrieve the leaked information. To fix this problem the stack buffer given to copy_from_user() must be initialized with the current settings. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
dc87c3985e
commit
0878b6667f
2 changed files with 15 additions and 0 deletions
|
@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
|
|||
break;
|
||||
|
||||
case HCI_FILTER:
|
||||
{
|
||||
struct hci_filter *f = &hci_pi(sk)->filter;
|
||||
|
||||
uf.type_mask = f->type_mask;
|
||||
uf.opcode = f->opcode;
|
||||
uf.event_mask[0] = *((u32 *) f->event_mask + 0);
|
||||
uf.event_mask[1] = *((u32 *) f->event_mask + 1);
|
||||
}
|
||||
|
||||
len = min_t(unsigned int, len, sizeof(uf));
|
||||
if (copy_from_user(&uf, optval, len)) {
|
||||
err = -EFAULT;
|
||||
|
|
|
@ -954,11 +954,17 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
|
|||
|
||||
switch (optname) {
|
||||
case L2CAP_OPTIONS:
|
||||
opts.imtu = l2cap_pi(sk)->imtu;
|
||||
opts.omtu = l2cap_pi(sk)->omtu;
|
||||
opts.flush_to = l2cap_pi(sk)->flush_to;
|
||||
opts.mode = 0x00;
|
||||
|
||||
len = min_t(unsigned int, sizeof(opts), optlen);
|
||||
if (copy_from_user((char *) &opts, optval, len)) {
|
||||
err = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
l2cap_pi(sk)->imtu = opts.imtu;
|
||||
l2cap_pi(sk)->omtu = opts.omtu;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue