Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

[0xef967c36 () gmail com]

On Wed, Apr 19, 2023 at 02:37:35AM +0800, Ruihan Li wrote:
> It appears that SNDCTL_TMR_TIMEBASE and TCGETS do have the same command code,
> which sits in the lower 16 bits. But SNDCTL_TMR_TIMEBASE uses a newer command
> encoding scheme [2] that includes the direction and argument size in the
> higher 16 bits. TCGETS, on the other hand, contains only the command code, so

That encoding scheme is quite old; it's there since at least 30 years.

> its higher bits are set to zero (TCGETS should have a really long history,
> just longer than that of the new ioctl command encoding scheme).
>
> [2]: https://elixir.bootlin.com/linux/v6.3-rc7/source/include/uapi/asm-generic/ioctl.h#L5 
>
> This means we haven't had any collisions yet. Also, since new ioctl commands

There actually are some collisions, just not the one with isatty() -> TCGETS

eg SNDCTL_TMR_START == TCSETS

> will certainly be encoded using the new encoding scheme, which TCGETS does not
> use, it is very unlikely that new collisions will occur in the future, unless
> the command code is exactly the same and the higher bits under the new
> encoding scheme are also occasionally zeros.

The _IO variant (without direction and size) can collide with
old-style ioctl, like those CDROM*, etc.