linux/drivers/bluetooth
Vladis Dronov b36a1552d7 Bluetooth: hci_uart: check for missing tty operations
Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset()
functions which are called by the certain HCI UART protocols (hci_ath,
hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control()
or directly. This leads to an execution at NULL and can be triggered by
an unprivileged user. Fix this by adding a helper function and a check
for the missing tty operations in the protocols code.

This fixes CVE-2019-10207. The Fixes: lines list commits where calls to
tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART
protocols.

Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org # v2.6.36+
Fixes: b3190df628 ("Bluetooth: Support for Atheros AR300x serial chip")
Fixes: 118612fb91 ("Bluetooth: hci_bcm: Add suspend/resume PM functions")
Fixes: ff2895592f ("Bluetooth: hci_intel: Add Intel baudrate configuration support")
Fixes: 162f812f23 ("Bluetooth: hci_uart: Add Marvell support")
Fixes: fa9ad876b8 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Yu-Chen, Cho <acho@suse.com>
Tested-by: Yu-Chen, Cho <acho@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-31 13:17:33 -07:00
..
ath3k.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
bcm203x.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
bfusb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
bluecard_cs.c bluetooth: bluecard_cs: Replace GFP_ATOMIC with GFP_KERNEL in bluecard_hci_set_baud_rate() 2018-07-23 18:05:00 +02:00
bpa10x.c Bluetooth: Cleanup formatting and coding style 2019-07-06 12:39:04 +02:00
bt3c_cs.c Bluetooth: bt3c_cs: Fix obsolete function 2018-09-27 12:57:39 +02:00
btbcm.c Bluetooth: btbcm: Add entry for BCM4359C0 UART bluetooth 2019-07-06 12:56:44 +02:00
btbcm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
btintel.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
btintel.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
btmrvl_debugfs.c Bluetooth: btmrvl: Re-use kstrtol_from_user() 2018-05-30 08:16:05 +02:00
btmrvl_drv.h Bluetooth: btmrvl: Drop unused GPIO includes 2019-01-22 09:51:20 +01:00
btmrvl_main.c Bluetooth: btmrvl: support sysfs initiated firmware coredump 2018-05-29 15:59:50 +02:00
btmrvl_sdio.c Bluetooth: btmrvl: add support for SD8987 chipset 2019-04-23 19:01:45 +02:00
btmrvl_sdio.h btmrvl: add platform specific wakeup interrupt support 2016-05-02 19:26:15 +02:00
btmtksdio.c Bluetooth: btmtksdio: Add runtime PM support to SDIO based Bluetooth 2019-04-23 18:36:20 +02:00
btmtkuart.c Bluetooth: btmtkuart: add an implementation for clock osc property 2019-07-06 13:00:04 +02:00
btqca.c Bluetooth: hci_qca: Load customized NVM based on the device property 2019-07-06 12:55:39 +02:00
btqca.h Bluetooth: hci_qca: Load customized NVM based on the device property 2019-07-06 12:55:39 +02:00
btqcomsmd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
btrsi.c Bluetooth: btrsi: fix bt tx timeout issue 2018-09-27 12:53:40 +02:00
btrtl.c Bluetooth:: btrtl: Add support for RTL8723DU 2019-07-06 13:00:58 +02:00
btrtl.h Bluetooth: btrtl: HCI reset on close for Realtek BT chip 2019-07-06 12:32:50 +02:00
btsdio.c Bluetooth: btsdio: Do not bind to non-removable BCM4356 2019-07-06 12:27:55 +02:00
btusb.c Bluetooth: btusb: Add protocol support for MediaTek MT7663U USB devices 2019-07-06 21:44:25 +02:00
btwilink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
dtl1_cs.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
h4_recv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hci_ag6xx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hci_ath.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_bcm.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_bcsp.c Bluetooth: hci_bcsp: Fix memory leak in rx_skb 2019-07-06 13:02:38 +02:00
hci_h4.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hci_h5.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hci_intel.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_ldisc.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_ll.c Bluetooth: Cleanup formatting and coding style 2019-07-06 12:39:04 +02:00
hci_mrvl.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_nokia.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hci_qca.c Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_serdev.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hci_uart.h Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
hci_vhci.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
Kconfig Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices 2019-07-06 21:44:25 +02:00
Makefile Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices 2019-04-23 18:09:07 +02:00