oss-sec mailing list archives

Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

From: 0xef967c36 () gmail com
Date: Tue, 18 Apr 2023 23:53:39 +0300

On Tue, Apr 18, 2023 at 09:28:22PM +0200, Solar Designer wrote:

On Tue, Apr 18, 2023 at 08:13:24PM +0300, 0xef967c36 () gmail com wrote:

There was no number clash. That 'foo or bar or quux' "fix" in strace
was stupid.


It was indeed stupid of me not to realize what was going on, but the


I'm really sorry for that, please accept my apologies.

It seems that the original idea was right (since there really are
different ioctls with the same number, see below); but unrelated
bugs in strace caused it report false positives.

Here is (possibly partial) list of collisions, obtained with uniq -D
from src/ioctlent0.h (a file autogenerated when building strace).

Most interesting are those with TCSETS*, since they're currently
used by any program like readline, bash, vi, emacs, etc which has
to set the terminal into raw mode with tcsetattr().

IOCTL_VMCI_SOCKETS_GET_LOCAL_CID        0x000007b9
IOCTL_VM_SOCKETS_GET_LOCAL_CID  0x000007b9

VFIO_DEVICE_GET_PCI_HOT_RESET_INFO      0x00003b70
VFIO_IOMMU_GET_INFO     0x00003b70
VFIO_IOMMU_SPAPR_TCE_GET_INFO   0x00003b70

VFIO_DEVICE_PCI_HOT_RESET       0x00003b71
VFIO_IOMMU_MAP_DMA      0x00003b71

VFIO_DEVICE_QUERY_GFX_PLANE     0x00003b72
VFIO_IOMMU_UNMAP_DMA    0x00003b72

VFIO_DEVICE_GET_GFX_DMABUF      0x00003b73
VFIO_IOMMU_ENABLE       0x00003b73

VFIO_DEVICE_IOEVENTFD   0x00003b74
VFIO_IOMMU_DISABLE      0x00003b74

VFIO_DEVICE_FEATURE     0x00003b75
VFIO_IOMMU_DIRTY_PAGES  0x00003b75
VFIO_IOMMU_SPAPR_REGISTER_MEMORY        0x00003b75

VFIO_EEH_PE_OP  0x00003b79
VFIO_MIG_GET_PRECOPY_INFO       0x00003b79

AGPIOC_ACQUIRE  0x00004101
APM_IOC_STANDBY 0x00004101

AGPIOC_RELEASE  0x00004102
APM_IOC_SUSPEND 0x00004102

IOCTL_XENBUS_BACKEND_EVTCHN     0x00004200
PMU_IOC_SLEEP   0x00004200

SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER   0x00004882
SNDRV_EMUX_IOCTL_RESET_SAMPLES  0x00004882

PCITEST_BAR     0x00005001
SNDCTL_DSP_SYNC 0x00005001

FASTRPC_IOCTL_INIT_ATTACH       0x00005204
RNDZAPENTCNT    0x00005204

CDROMAUDIOBUFSIZ        0x00005382
SCSI_IOCTL_GET_IDLUN    0x00005382

SNDCTL_TMR_START        0x00005402
TCSETS  0x00005402

SNDCTL_TMR_STOP 0x00005403
TCSETSW 0x00005403

SNDCTL_TMR_CONTINUE     0x00005404
TCSETSF 0x00005404

UI_DEV_CREATE   0x00005501
USB_RAW_IOCTL_RUN       0x00005501

VBG_IOCTL_VMMDEV_REQUEST_BIG    0x00005603
VT_GETSTATE     0x00005603

DRM_IOCTL_I915_FLUSH    0x00006441
DRM_IOCTL_RADEON_CP_START       0x00006441

DRM_IOCTL_I915_GEM_THROTTLE     0x00006458
DRM_IOCTL_RADEON_CP_RESUME      0x00006458

FUNCTIONFS_FIFO_STATUS  0x00006701
GADGETFS_FIFO_STATUS    0x00006701

FUNCTIONFS_FIFO_FLUSH   0x00006702
GADGETFS_FIFO_FLUSH     0x00006702

FUNCTIONFS_CLEAR_HALT   0x00006703
GADGETFS_CLEAR_HALT     0x00006703

MGSL_IOCTXENABLE        0x00006d04
MMTIMER_GETBITS 0x00006d04

MGSL_IOCTXABORT 0x00006d06
MMTIMER_MMAPAVAIL       0x00006d06

PHN_NOT_OH      0x00007004
RTC_UIE_OFF     0x00007004

SIOCIWFIRST     0x00008b00
SIOCSIWCOMMIT   0x00008b00

BT_BMC_IOCTL_SMS_ATN    0x0000b100
IPMI_BMC_IOCTL_SET_SMS_ATN      0x0000b100

IPMI_BMC_IOCTL_CLEAR_SMS_ATN    0x0000b101
PPPOEIOCDFWD    0x0000b101

AGPIOC_SETUP    0x40044103
SNDRV_PCM_IOCTL_TTSTAMP 0x40044103

AGPIOC_RESERVE  0x40044104
SNDRV_PCM_IOCTL_USER_PVERSION   0x40044104

RFKILL_IOCTL_MAX_SIZE   0x40045202
SAA6588_CMD_CLOSE       0x40045202

USBDEVFS_REAPURBNDELAY32        0x4004550d
USB_RAW_IOCTL_EP_SET_HALT       0x4004550d

IVTV_IOC_PASSTHROUGH_MODE       0x400456c1
VIDIOC_AM437X_CCDC_CFG  0x400456c1

BC_ACQUIRE_RESULT       0x40046302
CM_IOCSPTS      0x40046302

BC_ACQUIRE      0x40046305
CHIOSPICKER     0x40046305

DRM_IOCTL_I915_IRQ_WAIT 0x40046445
DRM_IOCTL_MSM_GEM_CPU_FINI      0x40046445

DRM_IOCTL_I915_DESTROY_HEAP     0x4004644c
DRM_IOCTL_RADEON_STIPPLE        0x4004644c

IPMICTL_SET_MAINTENANCE_MODE_CMD        0x4004691f
LIRC_SET_REC_CARRIER_RANGE      0x4004691f

MATROXFB_SET_OUTPUT_MODE        0x40046efa
SISFB_SET_AUTOMAXIMIZE_OLD      0x40046efa

BTRFS_IOC_CLONE 0x40049409
FICLONE 0x40049409

BINDER_SET_IDLE_TIMEOUT 0x40086203
DMA_BUF_IOCTL_IMPORT_SYNC_FILE  0x40086203

CHIOGSTATUS     0x40086308
RIO_CM_CHAN_CONNECT     0x40086308

DRM_IOCTL_RADEON_CP_STOP        0x40086442
DRM_IOCTL_VGEM_FENCE_SIGNAL     0x40086442

DRM_IOCTL_ETNAVIV_GEM_CPU_FINI  0x40086445
DRM_IOCTL_QXL_CLIENTCAP 0x40086445

DRM_IOCTL_LIMA_CTX_FREE 0x40086446
DRM_IOCTL_PANFROST_PERFCNT_ENABLE       0x40086446

DRM_IOCTL_I915_SETPARAM 0x40086447
DRM_IOCTL_PANFROST_PERFCNT_DUMP 0x40086447

ENI_MEMDUMP     0x400c6160
HE_GET_REG      0x400c6160

NS_SETBUFLEV    0x400c6162
ZATM_GETPOOLZ   0x400c6162

BC_ACQUIRE_DONE 0x40106309
RIO_CM_CHAN_SEND        0x40106309

DRM_IOCTL_IVPU_SET_PARAM        0x40106441
DRM_IOCTL_OMAP_SET_PARAM        0x40106441
DRM_IOCTL_PANFROST_WAIT_BO      0x40106441

DRM_IOCTL_I915_BATCHBUFFER      0x40186443
DRM_IOCTL_QXL_UPDATE_AREA       0x40186443

DRM_IOCTL_ETNAVIV_GEM_CPU_PREP  0x40186444
DRM_IOCTL_MSM_GEM_CPU_PREP      0x40186444

DRM_IOCTL_ETNAVIV_WAIT_FENCE    0x40206447
DRM_IOCTL_MSM_WAIT_FENCE        0x40206447

BTRFS_IOC_CLONE_RANGE   0x4020940d
FICLONERANGE    0x4020940d

AGPIOC_INFO     0x80044100
SNDRV_PCM_IOCTL_PVERSION        0x80044100

CCISS_GETHEARTBEAT      0x80044206
PMU_IOC_GRAB_BACKLIGHT  0x80044206

HIDIOCGRDESCSIZE        0x80044801
HIDIOCGVERSION  0x80044801

I2OVALIDATE     0x80046908
LIRC_GET_MIN_TIMEOUT    0x80046908

MTIOCPOS        0x80046d03
RIO_MPORT_MAINT_PORT_IDX_GET    0x80046d03

MATROXFB_GET_OUTPUT_CONNECTION  0x80046ef8
SISFB_GET_INFO_OLD      0x80046ef8

MATROXFB_GET_AVAILABLE_OUTPUTS  0x80046ef9
SISFB_GET_VBRSTATUS_OLD 0x80046ef9

CM_IOCGATR      0xc0046301
RIO_CM_EP_GET_LIST_SIZE 0xc0046301

DRM_IOCTL_I915_GETPARAM 0xc0086446
DRM_IOCTL_TEGRA_CLOSE_CHANNEL   0xc0086446

DRM_IOCTL_RADEON_GETPARAM       0xc0086451
DRM_IOCTL_TEGRA_CHANNEL_CLOSE   0xc0086451

DRM_IOCTL_AMDGPU_VM     0xc0086453
DRM_IOCTL_TEGRA_CHANNEL_UNMAP   0xc0086453

DRM_IOCTL_EXYNOS_G2D_GET_VER    0xc0086460
DRM_IOCTL_TEGRA_SYNCPOINT_ALLOCATE      0xc0086460

DRM_IOCTL_MSM_GEM_MADVISE       0xc00c6448
DRM_IOCTL_PANFROST_MADVISE      0xc00c6448

DRM_IOCTL_ETNAVIV_GET_PARAM     0xc0106440
DRM_IOCTL_EXYNOS_GEM_CREATE     0xc0106440
DRM_IOCTL_IVPU_GET_PARAM        0xc0106440
DRM_IOCTL_LIMA_GET_PARAM        0xc0106440
DRM_IOCTL_OMAP_GET_PARAM        0xc0106440
DRM_IOCTL_TEGRA_GEM_CREATE      0xc0106440

DRM_IOCTL_EXYNOS_GEM_MAP        0xc0106441
DRM_IOCTL_LIMA_GEM_CREATE       0xc0106441
DRM_IOCTL_QXL_MAP       0xc0106441
DRM_IOCTL_TEGRA_GEM_MMAP        0xc0106441
DRM_IOCTL_V3D_WAIT_BO   0xc0106441
DRM_IOCTL_VC4_WAIT_SEQNO        0xc0106441
DRM_IOCTL_VGEM_FENCE_ATTACH     0xc0106441
DRM_IOCTL_VIRTGPU_MAP   0xc0106441

DRM_IOCTL_AMDGPU_CTX    0xc0106442
DRM_IOCTL_ETNAVIV_GEM_NEW       0xc0106442
DRM_IOCTL_LIMA_GEM_INFO 0xc0106442
DRM_IOCTL_MSM_GEM_NEW   0xc0106442
DRM_IOCTL_V3D_CREATE_BO 0xc0106442
DRM_IOCTL_VC4_WAIT_BO   0xc0106442

DRM_IOCTL_ETNAVIV_GEM_INFO      0xc0106443
DRM_IOCTL_OMAP_GEM_NEW  0xc0106443
DRM_IOCTL_PANFROST_MMAP_BO      0xc0106443
DRM_IOCTL_V3D_MMAP_BO   0xc0106443
DRM_IOCTL_VC4_CREATE_BO 0xc0106443
DRM_IOCTL_VIRTGPU_GETPARAM      0xc0106443

DRM_IOCTL_EXYNOS_GEM_GET        0xc0106444
DRM_IOCTL_PANFROST_GET_PARAM    0xc0106444
DRM_IOCTL_QXL_GETPARAM  0xc0106444
DRM_IOCTL_TEGRA_SYNCPT_WAIT     0xc0106444
DRM_IOCTL_V3D_GET_PARAM 0xc0106444
DRM_IOCTL_VC4_MMAP_BO   0xc0106444

DRM_IOCTL_PANFROST_GET_BO_OFFSET        0xc0106445
DRM_IOCTL_TEGRA_OPEN_CHANNEL    0xc0106445
DRM_IOCTL_VIRTGPU_RESOURCE_INFO 0xc0106445

DRM_IOCTL_AMDGPU_GEM_WAIT_IDLE  0xc0106447
DRM_IOCTL_EXYNOS_VIDI_CONNECTION        0xc0106447
DRM_IOCTL_TEGRA_GET_SYNCPT      0xc0106447
DRM_IOCTL_VC4_GET_PARAM 0xc0106447

DRM_IOCTL_I915_ALLOC    0xc0106448
DRM_IOCTL_NOUVEAU_SVM_INIT      0xc0106448
DRM_IOCTL_VC4_SET_TILING        0xc0106448

DRM_IOCTL_TEGRA_GET_SYNCPT_BASE 0xc0106449
DRM_IOCTL_VC4_GET_TILING        0xc0106449

DRM_IOCTL_TEGRA_GEM_SET_TILING  0xc010644a
DRM_IOCTL_V3D_PERFMON_GET_VALUES        0xc010644a
DRM_IOCTL_VC4_LABEL_BO  0xc010644a

DRM_IOCTL_TEGRA_GEM_GET_TILING  0xc010644b
DRM_IOCTL_VC4_GEM_MADVISE       0xc010644b
DRM_IOCTL_VIRTGPU_CONTEXT_INIT  0xc010644b

DRM_IOCTL_I915_GEM_WAIT 0xc010646c
DRM_IOCTL_RADEON_GEM_OP 0xc010646c

DRM_IOCTL_IVPU_BO_CREATE        0xc0186442
DRM_IOCTL_PANFROST_CREATE_BO    0xc0186442

DRM_IOCTL_AMDGPU_BO_LIST        0xc0186443
DRM_IOCTL_MSM_GEM_INFO  0xc0186443

DRM_IOCTL_IVPU_BO_WAIT  0xc0186446
DRM_IOCTL_OMAP_GEM_INFO 0xc0186446
DRM_IOCTL_QXL_ALLOC_SURF        0xc0186446

BTRFS_IOC_FILE_EXTENT_SAME      0xc0189436
FIDEDUPERANGE   0xc0189436

DRM_IOCTL_ETNAVIV_GEM_SUBMIT    0xc0486446
DRM_IOCTL_MSM_GEM_SUBMIT        0xc0486446

Current thread:

Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution, (continued)
- - - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Todd C. Miller (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution nightmare . yeah27 (Apr 19)
    - Re: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 20)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Solar Designer (Apr 18)
  - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Solar Designer (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)
    - Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 18)