diff mbox series

[SRU,F,3/5] Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()

Message ID 20241028075902.114546-8-koichiro.den@canonical.com
State New
Headers show
Series None | expand

Commit Message

Koichiro Den Oct. 28, 2024, 7:58 a.m. UTC
From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 2b70d4f9b20635ac328836e50d183632e1930f94 ]

The "opt" variable is a u32, but on some paths only the top bytes
were initialized and the others contained random stack data.

Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(backported from commit 9d6350cf8e5aa6acf1a7c72f7a9ca000e5fa447d linux-5.10.y)
[koichiroden: Adjusted context due to missing commit
a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt"),
which is Fixes target but this patch is still beneficial without it as
prerequisite]
CVE-2024-35965
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
---
 net/bluetooth/l2cap_sock.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 9eea2af9a8e1..633a3bcf1ab6 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -776,6 +776,7 @@  static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
 	struct l2cap_conn *conn;
 	int len, err = 0;
 	u32 opt;
+	u16 mtu;
 
 	BT_DBG("sk %p", sk);
 
@@ -957,12 +958,12 @@  static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
 			break;
 		}
 
-		if (get_user(opt, (u16 __user *) optval)) {
+		if (get_user(mtu, (u16 __user *) optval)) {
 			err = -EFAULT;
 			break;
 		}
 
-		chan->imtu = opt;
+		chan->imtu = mtu;
 		break;
 
 	default: