From patchwork Mon Oct 28 07:58:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koichiro Den X-Patchwork-Id: 2003142 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XcQlc0F9Jz1xwF for ; Mon, 28 Oct 2024 18:59:39 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t5Kev-0005GI-P3; Mon, 28 Oct 2024 07:59:29 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t5Ket-0005G3-Rj for kernel-team@lists.ubuntu.com; Mon, 28 Oct 2024 07:59:27 +0000 Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com [209.85.167.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9EE523F175 for ; Mon, 28 Oct 2024 07:59:27 +0000 (UTC) Received: by mail-oi1-f197.google.com with SMTP id 5614622812f47-3e5fef7b247so4396121b6e.0 for ; Mon, 28 Oct 2024 00:59:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730102366; x=1730707166; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HyX6Fa4lL/lBAPudT3htfUa4uRQHaVa91NAo7kLJj78=; b=aHjJF97eUeJWPXRnpl8X4NQFys/MwIJHub1RiJIcYZFC0GYilaqwmyP19r4T2REIaZ P8uSFO5t1SjQe0y95Wk1Ih804DmVt6P5/fg/cuei8ULAtU6El/WHc99DrvpEJQeo6tnR etmuwAyXsfYS+c447QWb77Nh8QTfeuTEaJZ6uSUeSBaqeZoepMea9yUQ46SjWM3dPIqx JMpjq1xO8n8vmdLufBnBwtO4fsIPd/D+a2PCCxRBcT2Gubxew2qBdFuWY7ZE2YDZM5Ao M8vLJ1BzZcLja4PCn4UIeTTh8qnfYhuyCGTB++f/ZtH0ca+9G1yxjxRwdkDycFAsAKpR Sd/g== X-Gm-Message-State: AOJu0YwHYohVBby5mnFr3KLY2Itq8KXaWKE0W+bYw9oyrFe83349vPin jorbevjTxP1UKy4BEXBuL5VL2DMVOWRIcGAIZ7NDRAlSNxtzDPOdXUQPAtiiYIu51l4V8E1bW96 kGV/cQEhyr0t0R5rnTS55xdkQge7vijU++5N1sVgGundH2TKiMvTYMJHrb9It8DoaGvJhWHLyd1 oCHAq44gg6eg== X-Received: by 2002:a05:6808:1520:b0:3e6:31f6:34e3 with SMTP id 5614622812f47-3e6384c01a4mr4907974b6e.30.1730102366250; Mon, 28 Oct 2024 00:59:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IERMDwxh9T8V4RCG5PLcAKIfAeadn6SwFuQbHrHOiw6NMWOCFN/upNUcyGSAj8HSVT9+cBggQ== X-Received: by 2002:a05:6808:1520:b0:3e6:31f6:34e3 with SMTP id 5614622812f47-3e6384c01a4mr4907967b6e.30.1730102365916; Mon, 28 Oct 2024 00:59:25 -0700 (PDT) Received: from localhost.localdomain ([240f:74:7be:1:fc2f:5f77:13cb:653f]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7edc89f595dsm5127262a12.59.2024.10.28.00.59.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Oct 2024 00:59:25 -0700 (PDT) From: Koichiro Den To: kernel-team@lists.ubuntu.com Subject: [SRU][J/F][J:PATCH 0/4 F:PATCH 0/5] CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967 Date: Mon, 28 Oct 2024 16:58:51 +0900 Message-ID: <20241028075902.114546-1-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] These CVEs originated from the same patch series (no cover letter): [PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input (https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/) Note that Jammy and Focal are not affected by CVE-2024-35964 due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type"). [Backport] For Focal, I opted not to backport the entire patch series "get rid of the address_space override in setsockopt v2" (https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/) as prerequisite since the regression risk would be higher due to extensive changes to the generic network subsystem. Additionally, the broad scope of set_fs() removal makes partial backporting potentially problematic if it would impact various subsystems. Instead, I introduced bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring that changes remain minimal and concise for those CVEs. [Fix] Noble: fixed via stable Jammy: Backport - see more details in each commit's provenance Focal: Backport - see more details in each commit's provenance Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: won't fix [Test Case] - Compile tested - Smatch tested on the changed files (with amd64 generic config) [Where problems could occur] These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets and does setsockopt(2) against them. Should there be any regression, it would be visible to the user via unpredicted system or network behavior. [Shortlog and diffstat for Jammy] Luiz Augusto von Dentz (4): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Bluetooth: hci_sock: Fix not validating setsockopt user input include/net/bluetooth/bluetooth.h | 9 ++++++ net/bluetooth/hci_sock.c | 16 ++++------ net/bluetooth/l2cap_sock.c | 52 ++++++++++++------------------- net/bluetooth/rfcomm/sock.c | 14 +++------ net/bluetooth/sco.c | 19 +++++------ 5 files changed, 48 insertions(+), 62 deletions(-) [Shortlog and diffstat for Focal] Dan Carpenter (1): Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() Luiz Augusto von Dentz (4): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Bluetooth: hci_sock: Fix not validating setsockopt user input include/net/bluetooth/bluetooth.h | 9 ++++++ net/bluetooth/hci_sock.c | 16 ++++------ net/bluetooth/l2cap_sock.c | 50 +++++++++++++------------------ net/bluetooth/rfcomm/sock.c | 14 ++++----- net/bluetooth/sco.c | 14 ++++----- 5 files changed, 46 insertions(+), 57 deletions(-) Acked-by: Guoqing Jiang Acked-by: Jian Hui Lee