| Message ID | 20241028075902.114546-1-koichiro.den@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967 | expand |
Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com> On 10/28/24 08:58, Koichiro Den wrote: > [Impact] > > These CVEs originated from the same patch series (no cover letter): > [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input > (https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/) > > Note that Jammy and Focal are not affected by CVE-2024-35964 > due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type"). > > [Backport] > > For Focal, I opted not to backport the entire patch series > "get rid of the address_space override in setsockopt v2" > (https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/) > as prerequisite since the regression risk would be higher due to > extensive changes to the generic network subsystem. Additionally, the > broad scope of set_fs() removal makes partial backporting potentially > problematic if it would impact various subsystems. Instead, I introduced > bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring > that changes remain minimal and concise for those CVEs. > > [Fix] > > Noble: fixed via stable > Jammy: Backport - see more details in each commit's provenance > Focal: Backport - see more details in each commit's provenance > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: won't fix > > [Test Case] > > - Compile tested > - Smatch tested on the changed files (with amd64 generic config) > > [Where problems could occur] > > These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets > and does setsockopt(2) against them. Should there be any regression, it > would be visible to the user via unpredicted system or network behavior. > > > [Shortlog and diffstat for Jammy] > > Luiz Augusto von Dentz (4): > Bluetooth: SCO: Fix not validating setsockopt user input > Bluetooth: RFCOMM: Fix not validating setsockopt user input > Bluetooth: L2CAP: Fix not validating setsockopt user input > Bluetooth: hci_sock: Fix not validating setsockopt user input > > include/net/bluetooth/bluetooth.h | 9 ++++++ > net/bluetooth/hci_sock.c | 16 ++++------ > net/bluetooth/l2cap_sock.c | 52 ++++++++++++------------------- > net/bluetooth/rfcomm/sock.c | 14 +++------ > net/bluetooth/sco.c | 19 +++++------ > 5 files changed, 48 insertions(+), 62 deletions(-) > > [Shortlog and diffstat for Focal] > > Dan Carpenter (1): > Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() > > Luiz Augusto von Dentz (4): > Bluetooth: SCO: Fix not validating setsockopt user input > Bluetooth: RFCOMM: Fix not validating setsockopt user input > Bluetooth: L2CAP: Fix not validating setsockopt user input > Bluetooth: hci_sock: Fix not validating setsockopt user input > > include/net/bluetooth/bluetooth.h | 9 ++++++ > net/bluetooth/hci_sock.c | 16 ++++------ > net/bluetooth/l2cap_sock.c | 50 +++++++++++++------------------ > net/bluetooth/rfcomm/sock.c | 14 ++++----- > net/bluetooth/sco.c | 14 ++++----- > 5 files changed, 46 insertions(+), 57 deletions(-) > >
Acked-by: Jian Hui Lee <jianhui.lee@canonical.com> rather than not to backport (net: add a new sockptr_t type) and (net: pass a sockptr_t into ->setsockopt), my only concern is introducing the new bt_copy_from_user(), as it increases the deviation from the upstream. On Mon, Oct 28, 2024 at 4:00 PM Koichiro Den <koichiro.den@canonical.com> wrote: > > [Impact] > > These CVEs originated from the same patch series (no cover letter): > [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input > (https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/) > > Note that Jammy and Focal are not affected by CVE-2024-35964 > due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type"). > > [Backport] > > For Focal, I opted not to backport the entire patch series > "get rid of the address_space override in setsockopt v2" > (https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/) > as prerequisite since the regression risk would be higher due to > extensive changes to the generic network subsystem. Additionally, the > broad scope of set_fs() removal makes partial backporting potentially > problematic if it would impact various subsystems. Instead, I introduced > bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring > that changes remain minimal and concise for those CVEs. > > [Fix] > > Noble: fixed via stable > Jammy: Backport - see more details in each commit's provenance > Focal: Backport - see more details in each commit's provenance > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: won't fix > > [Test Case] > > - Compile tested > - Smatch tested on the changed files (with amd64 generic config) > > [Where problems could occur] > > These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets > and does setsockopt(2) against them. Should there be any regression, it > would be visible to the user via unpredicted system or network behavior. > > > [Shortlog and diffstat for Jammy] > > Luiz Augusto von Dentz (4): > Bluetooth: SCO: Fix not validating setsockopt user input > Bluetooth: RFCOMM: Fix not validating setsockopt user input > Bluetooth: L2CAP: Fix not validating setsockopt user input > Bluetooth: hci_sock: Fix not validating setsockopt user input > > include/net/bluetooth/bluetooth.h | 9 ++++++ > net/bluetooth/hci_sock.c | 16 ++++------ > net/bluetooth/l2cap_sock.c | 52 ++++++++++++------------------- > net/bluetooth/rfcomm/sock.c | 14 +++------ > net/bluetooth/sco.c | 19 +++++------ > 5 files changed, 48 insertions(+), 62 deletions(-) > > [Shortlog and diffstat for Focal] > > Dan Carpenter (1): > Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() > > Luiz Augusto von Dentz (4): > Bluetooth: SCO: Fix not validating setsockopt user input > Bluetooth: RFCOMM: Fix not validating setsockopt user input > Bluetooth: L2CAP: Fix not validating setsockopt user input > Bluetooth: hci_sock: Fix not validating setsockopt user input > > include/net/bluetooth/bluetooth.h | 9 ++++++ > net/bluetooth/hci_sock.c | 16 ++++------ > net/bluetooth/l2cap_sock.c | 50 +++++++++++++------------------ > net/bluetooth/rfcomm/sock.c | 14 ++++----- > net/bluetooth/sco.c | 14 ++++----- > 5 files changed, 46 insertions(+), 57 deletions(-) > > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
[Impact] These CVEs originated from the same patch series (no cover letter): [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input (https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/) Note that Jammy and Focal are not affected by CVE-2024-35964 due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type"). [Backport] For Focal, I opted not to backport the entire patch series "get rid of the address_space override in setsockopt v2" (https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/) as prerequisite since the regression risk would be higher due to extensive changes to the generic network subsystem. Additionally, the broad scope of set_fs() removal makes partial backporting potentially problematic if it would impact various subsystems. Instead, I introduced bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring that changes remain minimal and concise for those CVEs. [Fix] Noble: fixed via stable Jammy: Backport - see more details in each commit's provenance Focal: Backport - see more details in each commit's provenance Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: won't fix [Test Case] - Compile tested - Smatch tested on the changed files (with amd64 generic config) [Where problems could occur] These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets and does setsockopt(2) against them. Should there be any regression, it would be visible to the user via unpredicted system or network behavior. [Shortlog and diffstat for Jammy] Luiz Augusto von Dentz (4): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Bluetooth: hci_sock: Fix not validating setsockopt user input include/net/bluetooth/bluetooth.h | 9 ++++++ net/bluetooth/hci_sock.c | 16 ++++------ net/bluetooth/l2cap_sock.c | 52 ++++++++++++------------------- net/bluetooth/rfcomm/sock.c | 14 +++------ net/bluetooth/sco.c | 19 +++++------ 5 files changed, 48 insertions(+), 62 deletions(-) [Shortlog and diffstat for Focal] Dan Carpenter (1): Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() Luiz Augusto von Dentz (4): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Bluetooth: hci_sock: Fix not validating setsockopt user input include/net/bluetooth/bluetooth.h | 9 ++++++ net/bluetooth/hci_sock.c | 16 ++++------ net/bluetooth/l2cap_sock.c | 50 +++++++++++++------------------ net/bluetooth/rfcomm/sock.c | 14 ++++----- net/bluetooth/sco.c | 14 ++++----- 5 files changed, 46 insertions(+), 57 deletions(-)