bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
Previously, channel open messages were always sent to monitors on the first ioctl() call for unbound HCI sockets, even if the command and arguments were completely invalid. This can leave an exploitable hole with the abuse of invalid ioctl calls. This commit hardens the ioctl processing logic by first checking if the command is valid, and immediately returning with an ENOIOCTLCMD error code if it is not. This ensures that ioctl calls with invalid commands are free of side effects, and increases the difficulty of further exploitation by forcing exploitation to find a way to pass a valid command first. Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn> Co-developed-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
parent
db2bf510bd
commit
000c2fa2c1
|
@ -987,6 +987,34 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
|
|||
|
||||
BT_DBG("cmd %x arg %lx", cmd, arg);
|
||||
|
||||
/* Make sure the cmd is valid before doing anything */
|
||||
switch (cmd) {
|
||||
case HCIGETDEVLIST:
|
||||
case HCIGETDEVINFO:
|
||||
case HCIGETCONNLIST:
|
||||
case HCIDEVUP:
|
||||
case HCIDEVDOWN:
|
||||
case HCIDEVRESET:
|
||||
case HCIDEVRESTAT:
|
||||
case HCISETSCAN:
|
||||
case HCISETAUTH:
|
||||
case HCISETENCRYPT:
|
||||
case HCISETPTYPE:
|
||||
case HCISETLINKPOL:
|
||||
case HCISETLINKMODE:
|
||||
case HCISETACLMTU:
|
||||
case HCISETSCOMTU:
|
||||
case HCIINQUIRY:
|
||||
case HCISETRAW:
|
||||
case HCIGETCONNINFO:
|
||||
case HCIGETAUTHINFO:
|
||||
case HCIBLOCKADDR:
|
||||
case HCIUNBLOCKADDR:
|
||||
break;
|
||||
default:
|
||||
return -ENOIOCTLCMD;
|
||||
}
|
||||
|
||||
lock_sock(sk);
|
||||
|
||||
if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
|
||||
|
|
Loading…
Reference in New Issue