UPSTREAM: bluetooth: Perform careful capability checks in hci_sock_ioctl()
commit 25c150ac upstream. Previously, capability was checked using capable(), which verified that the caller of the ioctl system call had the required capability. In addition, the result of the check would be stored in the HCI_SOCK_TRUSTED flag, making it persistent for the socket. However, malicious programs can abuse this approach by deliberately sharing an HCI socket with a privileged task. The HCI socket will be marked as trusted when the privileged task occasionally makes an ioctl call. This problem can be solved by using sk_capable() to check capability, which ensures that not only the current task but also the socket opener has the specified capability, thus reducing the risk of privilege escalation through the previously identified vulnerability. Bug: 286456284 Cc: stable@vger.kernel.org Fixes: f81f5b2d ("Bluetooth: Send control open and close messages for HCI raw sockets") Signed-off-by:Ruihan Li <lrh2000@pku.edu.cn> Signed-off-by:
Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 47e6893a) Signed-off-by:
Lee Jones <joneslee@google.com> Change-Id: I9a4b20c7b1e9b4e6bbd6371264aec039770a52ff
Loading
Please sign in to comment