|
Message-ID: <5e92a8d676a0ddfb5c426f3412bd7aa6.1ab4a9b2@ignited.turnovers> Date: Tue, 18 Apr 2023 23:53:39 +0300 From: 0xef967c36@...il.com To: oss-security@...ts.openwall.com Subject: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution On Tue, Apr 18, 2023 at 09:28:22PM +0200, Solar Designer wrote: > On Tue, Apr 18, 2023 at 08:13:24PM +0300, 0xef967c36@...il.com wrote: > > There was no number clash. That 'foo or bar or quux' "fix" in strace > > was stupid. > > It was indeed stupid of me not to realize what was going on, but the I'm really sorry for that, please accept my apologies. It seems that the original idea was right (since there really are different ioctls with the same number, see below); but unrelated bugs in strace caused it report false positives. Here is (possibly partial) list of collisions, obtained with uniq -D from src/ioctlent0.h (a file autogenerated when building strace). Most interesting are those with TCSETS*, since they're currently used by any program like readline, bash, vi, emacs, etc which has to set the terminal into raw mode with tcsetattr(). IOCTL_VMCI_SOCKETS_GET_LOCAL_CID 0x000007b9 IOCTL_VM_SOCKETS_GET_LOCAL_CID 0x000007b9 VFIO_DEVICE_GET_PCI_HOT_RESET_INFO 0x00003b70 VFIO_IOMMU_GET_INFO 0x00003b70 VFIO_IOMMU_SPAPR_TCE_GET_INFO 0x00003b70 VFIO_DEVICE_PCI_HOT_RESET 0x00003b71 VFIO_IOMMU_MAP_DMA 0x00003b71 VFIO_DEVICE_QUERY_GFX_PLANE 0x00003b72 VFIO_IOMMU_UNMAP_DMA 0x00003b72 VFIO_DEVICE_GET_GFX_DMABUF 0x00003b73 VFIO_IOMMU_ENABLE 0x00003b73 VFIO_DEVICE_IOEVENTFD 0x00003b74 VFIO_IOMMU_DISABLE 0x00003b74 VFIO_DEVICE_FEATURE 0x00003b75 VFIO_IOMMU_DIRTY_PAGES 0x00003b75 VFIO_IOMMU_SPAPR_REGISTER_MEMORY 0x00003b75 VFIO_EEH_PE_OP 0x00003b79 VFIO_MIG_GET_PRECOPY_INFO 0x00003b79 AGPIOC_ACQUIRE 0x00004101 APM_IOC_STANDBY 0x00004101 AGPIOC_RELEASE 0x00004102 APM_IOC_SUSPEND 0x00004102 IOCTL_XENBUS_BACKEND_EVTCHN 0x00004200 PMU_IOC_SLEEP 0x00004200 SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER 0x00004882 SNDRV_EMUX_IOCTL_RESET_SAMPLES 0x00004882 PCITEST_BAR 0x00005001 SNDCTL_DSP_SYNC 0x00005001 FASTRPC_IOCTL_INIT_ATTACH 0x00005204 RNDZAPENTCNT 0x00005204 CDROMAUDIOBUFSIZ 0x00005382 SCSI_IOCTL_GET_IDLUN 0x00005382 SNDCTL_TMR_START 0x00005402 TCSETS 0x00005402 SNDCTL_TMR_STOP 0x00005403 TCSETSW 0x00005403 SNDCTL_TMR_CONTINUE 0x00005404 TCSETSF 0x00005404 UI_DEV_CREATE 0x00005501 USB_RAW_IOCTL_RUN 0x00005501 VBG_IOCTL_VMMDEV_REQUEST_BIG 0x00005603 VT_GETSTATE 0x00005603 DRM_IOCTL_I915_FLUSH 0x00006441 DRM_IOCTL_RADEON_CP_START 0x00006441 DRM_IOCTL_I915_GEM_THROTTLE 0x00006458 DRM_IOCTL_RADEON_CP_RESUME 0x00006458 FUNCTIONFS_FIFO_STATUS 0x00006701 GADGETFS_FIFO_STATUS 0x00006701 FUNCTIONFS_FIFO_FLUSH 0x00006702 GADGETFS_FIFO_FLUSH 0x00006702 FUNCTIONFS_CLEAR_HALT 0x00006703 GADGETFS_CLEAR_HALT 0x00006703 MGSL_IOCTXENABLE 0x00006d04 MMTIMER_GETBITS 0x00006d04 MGSL_IOCTXABORT 0x00006d06 MMTIMER_MMAPAVAIL 0x00006d06 PHN_NOT_OH 0x00007004 RTC_UIE_OFF 0x00007004 SIOCIWFIRST 0x00008b00 SIOCSIWCOMMIT 0x00008b00 BT_BMC_IOCTL_SMS_ATN 0x0000b100 IPMI_BMC_IOCTL_SET_SMS_ATN 0x0000b100 IPMI_BMC_IOCTL_CLEAR_SMS_ATN 0x0000b101 PPPOEIOCDFWD 0x0000b101 AGPIOC_SETUP 0x40044103 SNDRV_PCM_IOCTL_TTSTAMP 0x40044103 AGPIOC_RESERVE 0x40044104 SNDRV_PCM_IOCTL_USER_PVERSION 0x40044104 RFKILL_IOCTL_MAX_SIZE 0x40045202 SAA6588_CMD_CLOSE 0x40045202 USBDEVFS_REAPURBNDELAY32 0x4004550d USB_RAW_IOCTL_EP_SET_HALT 0x4004550d IVTV_IOC_PASSTHROUGH_MODE 0x400456c1 VIDIOC_AM437X_CCDC_CFG 0x400456c1 BC_ACQUIRE_RESULT 0x40046302 CM_IOCSPTS 0x40046302 BC_ACQUIRE 0x40046305 CHIOSPICKER 0x40046305 DRM_IOCTL_I915_IRQ_WAIT 0x40046445 DRM_IOCTL_MSM_GEM_CPU_FINI 0x40046445 DRM_IOCTL_I915_DESTROY_HEAP 0x4004644c DRM_IOCTL_RADEON_STIPPLE 0x4004644c IPMICTL_SET_MAINTENANCE_MODE_CMD 0x4004691f LIRC_SET_REC_CARRIER_RANGE 0x4004691f MATROXFB_SET_OUTPUT_MODE 0x40046efa SISFB_SET_AUTOMAXIMIZE_OLD 0x40046efa BTRFS_IOC_CLONE 0x40049409 FICLONE 0x40049409 BINDER_SET_IDLE_TIMEOUT 0x40086203 DMA_BUF_IOCTL_IMPORT_SYNC_FILE 0x40086203 CHIOGSTATUS 0x40086308 RIO_CM_CHAN_CONNECT 0x40086308 DRM_IOCTL_RADEON_CP_STOP 0x40086442 DRM_IOCTL_VGEM_FENCE_SIGNAL 0x40086442 DRM_IOCTL_ETNAVIV_GEM_CPU_FINI 0x40086445 DRM_IOCTL_QXL_CLIENTCAP 0x40086445 DRM_IOCTL_LIMA_CTX_FREE 0x40086446 DRM_IOCTL_PANFROST_PERFCNT_ENABLE 0x40086446 DRM_IOCTL_I915_SETPARAM 0x40086447 DRM_IOCTL_PANFROST_PERFCNT_DUMP 0x40086447 ENI_MEMDUMP 0x400c6160 HE_GET_REG 0x400c6160 NS_SETBUFLEV 0x400c6162 ZATM_GETPOOLZ 0x400c6162 BC_ACQUIRE_DONE 0x40106309 RIO_CM_CHAN_SEND 0x40106309 DRM_IOCTL_IVPU_SET_PARAM 0x40106441 DRM_IOCTL_OMAP_SET_PARAM 0x40106441 DRM_IOCTL_PANFROST_WAIT_BO 0x40106441 DRM_IOCTL_I915_BATCHBUFFER 0x40186443 DRM_IOCTL_QXL_UPDATE_AREA 0x40186443 DRM_IOCTL_ETNAVIV_GEM_CPU_PREP 0x40186444 DRM_IOCTL_MSM_GEM_CPU_PREP 0x40186444 DRM_IOCTL_ETNAVIV_WAIT_FENCE 0x40206447 DRM_IOCTL_MSM_WAIT_FENCE 0x40206447 BTRFS_IOC_CLONE_RANGE 0x4020940d FICLONERANGE 0x4020940d AGPIOC_INFO 0x80044100 SNDRV_PCM_IOCTL_PVERSION 0x80044100 CCISS_GETHEARTBEAT 0x80044206 PMU_IOC_GRAB_BACKLIGHT 0x80044206 HIDIOCGRDESCSIZE 0x80044801 HIDIOCGVERSION 0x80044801 I2OVALIDATE 0x80046908 LIRC_GET_MIN_TIMEOUT 0x80046908 MTIOCPOS 0x80046d03 RIO_MPORT_MAINT_PORT_IDX_GET 0x80046d03 MATROXFB_GET_OUTPUT_CONNECTION 0x80046ef8 SISFB_GET_INFO_OLD 0x80046ef8 MATROXFB_GET_AVAILABLE_OUTPUTS 0x80046ef9 SISFB_GET_VBRSTATUS_OLD 0x80046ef9 CM_IOCGATR 0xc0046301 RIO_CM_EP_GET_LIST_SIZE 0xc0046301 DRM_IOCTL_I915_GETPARAM 0xc0086446 DRM_IOCTL_TEGRA_CLOSE_CHANNEL 0xc0086446 DRM_IOCTL_RADEON_GETPARAM 0xc0086451 DRM_IOCTL_TEGRA_CHANNEL_CLOSE 0xc0086451 DRM_IOCTL_AMDGPU_VM 0xc0086453 DRM_IOCTL_TEGRA_CHANNEL_UNMAP 0xc0086453 DRM_IOCTL_EXYNOS_G2D_GET_VER 0xc0086460 DRM_IOCTL_TEGRA_SYNCPOINT_ALLOCATE 0xc0086460 DRM_IOCTL_MSM_GEM_MADVISE 0xc00c6448 DRM_IOCTL_PANFROST_MADVISE 0xc00c6448 DRM_IOCTL_ETNAVIV_GET_PARAM 0xc0106440 DRM_IOCTL_EXYNOS_GEM_CREATE 0xc0106440 DRM_IOCTL_IVPU_GET_PARAM 0xc0106440 DRM_IOCTL_LIMA_GET_PARAM 0xc0106440 DRM_IOCTL_OMAP_GET_PARAM 0xc0106440 DRM_IOCTL_TEGRA_GEM_CREATE 0xc0106440 DRM_IOCTL_EXYNOS_GEM_MAP 0xc0106441 DRM_IOCTL_LIMA_GEM_CREATE 0xc0106441 DRM_IOCTL_QXL_MAP 0xc0106441 DRM_IOCTL_TEGRA_GEM_MMAP 0xc0106441 DRM_IOCTL_V3D_WAIT_BO 0xc0106441 DRM_IOCTL_VC4_WAIT_SEQNO 0xc0106441 DRM_IOCTL_VGEM_FENCE_ATTACH 0xc0106441 DRM_IOCTL_VIRTGPU_MAP 0xc0106441 DRM_IOCTL_AMDGPU_CTX 0xc0106442 DRM_IOCTL_ETNAVIV_GEM_NEW 0xc0106442 DRM_IOCTL_LIMA_GEM_INFO 0xc0106442 DRM_IOCTL_MSM_GEM_NEW 0xc0106442 DRM_IOCTL_V3D_CREATE_BO 0xc0106442 DRM_IOCTL_VC4_WAIT_BO 0xc0106442 DRM_IOCTL_ETNAVIV_GEM_INFO 0xc0106443 DRM_IOCTL_OMAP_GEM_NEW 0xc0106443 DRM_IOCTL_PANFROST_MMAP_BO 0xc0106443 DRM_IOCTL_V3D_MMAP_BO 0xc0106443 DRM_IOCTL_VC4_CREATE_BO 0xc0106443 DRM_IOCTL_VIRTGPU_GETPARAM 0xc0106443 DRM_IOCTL_EXYNOS_GEM_GET 0xc0106444 DRM_IOCTL_PANFROST_GET_PARAM 0xc0106444 DRM_IOCTL_QXL_GETPARAM 0xc0106444 DRM_IOCTL_TEGRA_SYNCPT_WAIT 0xc0106444 DRM_IOCTL_V3D_GET_PARAM 0xc0106444 DRM_IOCTL_VC4_MMAP_BO 0xc0106444 DRM_IOCTL_PANFROST_GET_BO_OFFSET 0xc0106445 DRM_IOCTL_TEGRA_OPEN_CHANNEL 0xc0106445 DRM_IOCTL_VIRTGPU_RESOURCE_INFO 0xc0106445 DRM_IOCTL_AMDGPU_GEM_WAIT_IDLE 0xc0106447 DRM_IOCTL_EXYNOS_VIDI_CONNECTION 0xc0106447 DRM_IOCTL_TEGRA_GET_SYNCPT 0xc0106447 DRM_IOCTL_VC4_GET_PARAM 0xc0106447 DRM_IOCTL_I915_ALLOC 0xc0106448 DRM_IOCTL_NOUVEAU_SVM_INIT 0xc0106448 DRM_IOCTL_VC4_SET_TILING 0xc0106448 DRM_IOCTL_TEGRA_GET_SYNCPT_BASE 0xc0106449 DRM_IOCTL_VC4_GET_TILING 0xc0106449 DRM_IOCTL_TEGRA_GEM_SET_TILING 0xc010644a DRM_IOCTL_V3D_PERFMON_GET_VALUES 0xc010644a DRM_IOCTL_VC4_LABEL_BO 0xc010644a DRM_IOCTL_TEGRA_GEM_GET_TILING 0xc010644b DRM_IOCTL_VC4_GEM_MADVISE 0xc010644b DRM_IOCTL_VIRTGPU_CONTEXT_INIT 0xc010644b DRM_IOCTL_I915_GEM_WAIT 0xc010646c DRM_IOCTL_RADEON_GEM_OP 0xc010646c DRM_IOCTL_IVPU_BO_CREATE 0xc0186442 DRM_IOCTL_PANFROST_CREATE_BO 0xc0186442 DRM_IOCTL_AMDGPU_BO_LIST 0xc0186443 DRM_IOCTL_MSM_GEM_INFO 0xc0186443 DRM_IOCTL_IVPU_BO_WAIT 0xc0186446 DRM_IOCTL_OMAP_GEM_INFO 0xc0186446 DRM_IOCTL_QXL_ALLOC_SURF 0xc0186446 BTRFS_IOC_FILE_EXTENT_SAME 0xc0189436 FIDEDUPERANGE 0xc0189436 DRM_IOCTL_ETNAVIV_GEM_SUBMIT 0xc0486446 DRM_IOCTL_MSM_GEM_SUBMIT 0xc0486446
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.