[SRU][J/F][J:PATCH 0/4 F:PATCH 0/5] CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967

[Koichiro Den]

[Impact]

These CVEs originated from the same patch series (no cover letter):
[PATCH v2 1/5] Bluetooth: SCO: Fix not validating setsockopt user input
(https://lore.kernel.org/all/20240405204827.3458726-1-luiz.dentz@gmail.com/)

Note that Jammy and Focal are not affected by CVE-2024-35964
due to missing commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type").

[Backport]

For Focal, I opted not to backport the entire patch series
"get rid of the address_space override in setsockopt v2"
(https://lore.kernel.org/all/20200723060908.50081-1-hch@lst.de/)
as prerequisite since the regression risk would be higher due to
extensive changes to the generic network subsystem. Additionally, the
broad scope of set_fs() removal makes partial backporting potentially
problematic if it would impact various subsystems. Instead, I introduced
bt_copy_from_user(), tailored for the pre-sockptr_t code base, ensuring
that changes remain minimal and concise for those CVEs.

[Fix]

Noble:  fixed via stable
Jammy:  Backport - see more details in each commit's provenance
Focal:  Backport - see more details in each commit's provenance
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: won't fix

[Test Case]

- Compile tested
- Smatch tested on the changed files (with amd64 generic config)

[Where problems could occur]

These fixes affect those who use BlueTooth L2CAP/RFCOMM/SCO/HCI sockets
and does setsockopt(2) against them. Should there be any regression, it
would be visible to the user via unpredicted system or network behavior.


[Shortlog and diffstat for Jammy]

Luiz Augusto von Dentz (4):
  Bluetooth: SCO: Fix not validating setsockopt user input
  Bluetooth: RFCOMM: Fix not validating setsockopt user input
  Bluetooth: L2CAP: Fix not validating setsockopt user input
  Bluetooth: hci_sock: Fix not validating setsockopt user input

 include/net/bluetooth/bluetooth.h |  9 ++++++
 net/bluetooth/hci_sock.c          | 16 ++++------
 net/bluetooth/l2cap_sock.c        | 52 ++++++++++++-------------------
 net/bluetooth/rfcomm/sock.c       | 14 +++------
 net/bluetooth/sco.c               | 19 +++++------
 5 files changed, 48 insertions(+), 62 deletions(-)

[Shortlog and diffstat for Focal]

Dan Carpenter (1):
  Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()

Luiz Augusto von Dentz (4):
  Bluetooth: SCO: Fix not validating setsockopt user input
  Bluetooth: RFCOMM: Fix not validating setsockopt user input
  Bluetooth: L2CAP: Fix not validating setsockopt user input
  Bluetooth: hci_sock: Fix not validating setsockopt user input

 include/net/bluetooth/bluetooth.h |  9 ++++++
 net/bluetooth/hci_sock.c          | 16 ++++------
 net/bluetooth/l2cap_sock.c        | 50 +++++++++++++------------------
 net/bluetooth/rfcomm/sock.c       | 14 ++++-----
 net/bluetooth/sco.c               | 14 ++++-----
 5 files changed, 46 insertions(+), 57 deletions(-)


-- 
2.43.0