Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5e92a8d676a0ddfb5c426f3412bd7aa6.1ab4a9b2@ignited.turnovers>
Date: Tue, 18 Apr 2023 23:53:39 +0300
From: 0xef967c36@...il.com
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized
 management command execution

On Tue, Apr 18, 2023 at 09:28:22PM +0200, Solar Designer wrote:
> On Tue, Apr 18, 2023 at 08:13:24PM +0300, 0xef967c36@...il.com wrote:
> > There was no number clash. That 'foo or bar or quux' "fix" in strace
> > was stupid.
> 
> It was indeed stupid of me not to realize what was going on, but the

I'm really sorry for that, please accept my apologies.

It seems that the original idea was right (since there really are
different ioctls with the same number, see below); but unrelated
bugs in strace caused it report false positives.

Here is (possibly partial) list of collisions, obtained with uniq -D
from src/ioctlent0.h (a file autogenerated when building strace).

Most interesting are those with TCSETS*, since they're currently
used by any program like readline, bash, vi, emacs, etc which has
to set the terminal into raw mode with tcsetattr().

IOCTL_VMCI_SOCKETS_GET_LOCAL_CID	0x000007b9
IOCTL_VM_SOCKETS_GET_LOCAL_CID	0x000007b9

VFIO_DEVICE_GET_PCI_HOT_RESET_INFO	0x00003b70
VFIO_IOMMU_GET_INFO	0x00003b70
VFIO_IOMMU_SPAPR_TCE_GET_INFO	0x00003b70

VFIO_DEVICE_PCI_HOT_RESET	0x00003b71
VFIO_IOMMU_MAP_DMA	0x00003b71

VFIO_DEVICE_QUERY_GFX_PLANE	0x00003b72
VFIO_IOMMU_UNMAP_DMA	0x00003b72

VFIO_DEVICE_GET_GFX_DMABUF	0x00003b73
VFIO_IOMMU_ENABLE	0x00003b73

VFIO_DEVICE_IOEVENTFD	0x00003b74
VFIO_IOMMU_DISABLE	0x00003b74

VFIO_DEVICE_FEATURE	0x00003b75
VFIO_IOMMU_DIRTY_PAGES	0x00003b75
VFIO_IOMMU_SPAPR_REGISTER_MEMORY	0x00003b75

VFIO_EEH_PE_OP	0x00003b79
VFIO_MIG_GET_PRECOPY_INFO	0x00003b79

AGPIOC_ACQUIRE	0x00004101
APM_IOC_STANDBY	0x00004101

AGPIOC_RELEASE	0x00004102
APM_IOC_SUSPEND	0x00004102

IOCTL_XENBUS_BACKEND_EVTCHN	0x00004200
PMU_IOC_SLEEP	0x00004200

SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER	0x00004882
SNDRV_EMUX_IOCTL_RESET_SAMPLES	0x00004882

PCITEST_BAR	0x00005001
SNDCTL_DSP_SYNC	0x00005001

FASTRPC_IOCTL_INIT_ATTACH	0x00005204
RNDZAPENTCNT	0x00005204

CDROMAUDIOBUFSIZ	0x00005382
SCSI_IOCTL_GET_IDLUN	0x00005382

SNDCTL_TMR_START	0x00005402
TCSETS	0x00005402

SNDCTL_TMR_STOP	0x00005403
TCSETSW	0x00005403

SNDCTL_TMR_CONTINUE	0x00005404
TCSETSF	0x00005404

UI_DEV_CREATE	0x00005501
USB_RAW_IOCTL_RUN	0x00005501

VBG_IOCTL_VMMDEV_REQUEST_BIG	0x00005603
VT_GETSTATE	0x00005603

DRM_IOCTL_I915_FLUSH	0x00006441
DRM_IOCTL_RADEON_CP_START	0x00006441

DRM_IOCTL_I915_GEM_THROTTLE	0x00006458
DRM_IOCTL_RADEON_CP_RESUME	0x00006458

FUNCTIONFS_FIFO_STATUS	0x00006701
GADGETFS_FIFO_STATUS	0x00006701

FUNCTIONFS_FIFO_FLUSH	0x00006702
GADGETFS_FIFO_FLUSH	0x00006702

FUNCTIONFS_CLEAR_HALT	0x00006703
GADGETFS_CLEAR_HALT	0x00006703

MGSL_IOCTXENABLE	0x00006d04
MMTIMER_GETBITS	0x00006d04

MGSL_IOCTXABORT	0x00006d06
MMTIMER_MMAPAVAIL	0x00006d06

PHN_NOT_OH	0x00007004
RTC_UIE_OFF	0x00007004

SIOCIWFIRST	0x00008b00
SIOCSIWCOMMIT	0x00008b00

BT_BMC_IOCTL_SMS_ATN	0x0000b100
IPMI_BMC_IOCTL_SET_SMS_ATN	0x0000b100

IPMI_BMC_IOCTL_CLEAR_SMS_ATN	0x0000b101
PPPOEIOCDFWD	0x0000b101

AGPIOC_SETUP	0x40044103
SNDRV_PCM_IOCTL_TTSTAMP	0x40044103

AGPIOC_RESERVE	0x40044104
SNDRV_PCM_IOCTL_USER_PVERSION	0x40044104

RFKILL_IOCTL_MAX_SIZE	0x40045202
SAA6588_CMD_CLOSE	0x40045202

USBDEVFS_REAPURBNDELAY32	0x4004550d
USB_RAW_IOCTL_EP_SET_HALT	0x4004550d

IVTV_IOC_PASSTHROUGH_MODE	0x400456c1
VIDIOC_AM437X_CCDC_CFG	0x400456c1

BC_ACQUIRE_RESULT	0x40046302
CM_IOCSPTS	0x40046302

BC_ACQUIRE	0x40046305
CHIOSPICKER	0x40046305

DRM_IOCTL_I915_IRQ_WAIT	0x40046445
DRM_IOCTL_MSM_GEM_CPU_FINI	0x40046445

DRM_IOCTL_I915_DESTROY_HEAP	0x4004644c
DRM_IOCTL_RADEON_STIPPLE	0x4004644c

IPMICTL_SET_MAINTENANCE_MODE_CMD	0x4004691f
LIRC_SET_REC_CARRIER_RANGE	0x4004691f

MATROXFB_SET_OUTPUT_MODE	0x40046efa
SISFB_SET_AUTOMAXIMIZE_OLD	0x40046efa

BTRFS_IOC_CLONE	0x40049409
FICLONE	0x40049409

BINDER_SET_IDLE_TIMEOUT	0x40086203
DMA_BUF_IOCTL_IMPORT_SYNC_FILE	0x40086203

CHIOGSTATUS	0x40086308
RIO_CM_CHAN_CONNECT	0x40086308

DRM_IOCTL_RADEON_CP_STOP	0x40086442
DRM_IOCTL_VGEM_FENCE_SIGNAL	0x40086442

DRM_IOCTL_ETNAVIV_GEM_CPU_FINI	0x40086445
DRM_IOCTL_QXL_CLIENTCAP	0x40086445

DRM_IOCTL_LIMA_CTX_FREE	0x40086446
DRM_IOCTL_PANFROST_PERFCNT_ENABLE	0x40086446

DRM_IOCTL_I915_SETPARAM	0x40086447
DRM_IOCTL_PANFROST_PERFCNT_DUMP	0x40086447

ENI_MEMDUMP	0x400c6160
HE_GET_REG	0x400c6160

NS_SETBUFLEV	0x400c6162
ZATM_GETPOOLZ	0x400c6162

BC_ACQUIRE_DONE	0x40106309
RIO_CM_CHAN_SEND	0x40106309

DRM_IOCTL_IVPU_SET_PARAM	0x40106441
DRM_IOCTL_OMAP_SET_PARAM	0x40106441
DRM_IOCTL_PANFROST_WAIT_BO	0x40106441

DRM_IOCTL_I915_BATCHBUFFER	0x40186443
DRM_IOCTL_QXL_UPDATE_AREA	0x40186443

DRM_IOCTL_ETNAVIV_GEM_CPU_PREP	0x40186444
DRM_IOCTL_MSM_GEM_CPU_PREP	0x40186444

DRM_IOCTL_ETNAVIV_WAIT_FENCE	0x40206447
DRM_IOCTL_MSM_WAIT_FENCE	0x40206447

BTRFS_IOC_CLONE_RANGE	0x4020940d
FICLONERANGE	0x4020940d

AGPIOC_INFO	0x80044100
SNDRV_PCM_IOCTL_PVERSION	0x80044100

CCISS_GETHEARTBEAT	0x80044206
PMU_IOC_GRAB_BACKLIGHT	0x80044206

HIDIOCGRDESCSIZE	0x80044801
HIDIOCGVERSION	0x80044801

I2OVALIDATE	0x80046908
LIRC_GET_MIN_TIMEOUT	0x80046908

MTIOCPOS	0x80046d03
RIO_MPORT_MAINT_PORT_IDX_GET	0x80046d03

MATROXFB_GET_OUTPUT_CONNECTION	0x80046ef8
SISFB_GET_INFO_OLD	0x80046ef8

MATROXFB_GET_AVAILABLE_OUTPUTS	0x80046ef9
SISFB_GET_VBRSTATUS_OLD	0x80046ef9

CM_IOCGATR	0xc0046301
RIO_CM_EP_GET_LIST_SIZE	0xc0046301

DRM_IOCTL_I915_GETPARAM	0xc0086446
DRM_IOCTL_TEGRA_CLOSE_CHANNEL	0xc0086446

DRM_IOCTL_RADEON_GETPARAM	0xc0086451
DRM_IOCTL_TEGRA_CHANNEL_CLOSE	0xc0086451

DRM_IOCTL_AMDGPU_VM	0xc0086453
DRM_IOCTL_TEGRA_CHANNEL_UNMAP	0xc0086453

DRM_IOCTL_EXYNOS_G2D_GET_VER	0xc0086460
DRM_IOCTL_TEGRA_SYNCPOINT_ALLOCATE	0xc0086460

DRM_IOCTL_MSM_GEM_MADVISE	0xc00c6448
DRM_IOCTL_PANFROST_MADVISE	0xc00c6448

DRM_IOCTL_ETNAVIV_GET_PARAM	0xc0106440
DRM_IOCTL_EXYNOS_GEM_CREATE	0xc0106440
DRM_IOCTL_IVPU_GET_PARAM	0xc0106440
DRM_IOCTL_LIMA_GET_PARAM	0xc0106440
DRM_IOCTL_OMAP_GET_PARAM	0xc0106440
DRM_IOCTL_TEGRA_GEM_CREATE	0xc0106440

DRM_IOCTL_EXYNOS_GEM_MAP	0xc0106441
DRM_IOCTL_LIMA_GEM_CREATE	0xc0106441
DRM_IOCTL_QXL_MAP	0xc0106441
DRM_IOCTL_TEGRA_GEM_MMAP	0xc0106441
DRM_IOCTL_V3D_WAIT_BO	0xc0106441
DRM_IOCTL_VC4_WAIT_SEQNO	0xc0106441
DRM_IOCTL_VGEM_FENCE_ATTACH	0xc0106441
DRM_IOCTL_VIRTGPU_MAP	0xc0106441

DRM_IOCTL_AMDGPU_CTX	0xc0106442
DRM_IOCTL_ETNAVIV_GEM_NEW	0xc0106442
DRM_IOCTL_LIMA_GEM_INFO	0xc0106442
DRM_IOCTL_MSM_GEM_NEW	0xc0106442
DRM_IOCTL_V3D_CREATE_BO	0xc0106442
DRM_IOCTL_VC4_WAIT_BO	0xc0106442

DRM_IOCTL_ETNAVIV_GEM_INFO	0xc0106443
DRM_IOCTL_OMAP_GEM_NEW	0xc0106443
DRM_IOCTL_PANFROST_MMAP_BO	0xc0106443
DRM_IOCTL_V3D_MMAP_BO	0xc0106443
DRM_IOCTL_VC4_CREATE_BO	0xc0106443
DRM_IOCTL_VIRTGPU_GETPARAM	0xc0106443

DRM_IOCTL_EXYNOS_GEM_GET	0xc0106444
DRM_IOCTL_PANFROST_GET_PARAM	0xc0106444
DRM_IOCTL_QXL_GETPARAM	0xc0106444
DRM_IOCTL_TEGRA_SYNCPT_WAIT	0xc0106444
DRM_IOCTL_V3D_GET_PARAM	0xc0106444
DRM_IOCTL_VC4_MMAP_BO	0xc0106444

DRM_IOCTL_PANFROST_GET_BO_OFFSET	0xc0106445
DRM_IOCTL_TEGRA_OPEN_CHANNEL	0xc0106445
DRM_IOCTL_VIRTGPU_RESOURCE_INFO	0xc0106445

DRM_IOCTL_AMDGPU_GEM_WAIT_IDLE	0xc0106447
DRM_IOCTL_EXYNOS_VIDI_CONNECTION	0xc0106447
DRM_IOCTL_TEGRA_GET_SYNCPT	0xc0106447
DRM_IOCTL_VC4_GET_PARAM	0xc0106447

DRM_IOCTL_I915_ALLOC	0xc0106448
DRM_IOCTL_NOUVEAU_SVM_INIT	0xc0106448
DRM_IOCTL_VC4_SET_TILING	0xc0106448

DRM_IOCTL_TEGRA_GET_SYNCPT_BASE	0xc0106449
DRM_IOCTL_VC4_GET_TILING	0xc0106449

DRM_IOCTL_TEGRA_GEM_SET_TILING	0xc010644a
DRM_IOCTL_V3D_PERFMON_GET_VALUES	0xc010644a
DRM_IOCTL_VC4_LABEL_BO	0xc010644a

DRM_IOCTL_TEGRA_GEM_GET_TILING	0xc010644b
DRM_IOCTL_VC4_GEM_MADVISE	0xc010644b
DRM_IOCTL_VIRTGPU_CONTEXT_INIT	0xc010644b

DRM_IOCTL_I915_GEM_WAIT	0xc010646c
DRM_IOCTL_RADEON_GEM_OP	0xc010646c

DRM_IOCTL_IVPU_BO_CREATE	0xc0186442
DRM_IOCTL_PANFROST_CREATE_BO	0xc0186442

DRM_IOCTL_AMDGPU_BO_LIST	0xc0186443
DRM_IOCTL_MSM_GEM_INFO	0xc0186443

DRM_IOCTL_IVPU_BO_WAIT	0xc0186446
DRM_IOCTL_OMAP_GEM_INFO	0xc0186446
DRM_IOCTL_QXL_ALLOC_SURF	0xc0186446

BTRFS_IOC_FILE_EXTENT_SAME	0xc0189436
FIDEDUPERANGE	0xc0189436

DRM_IOCTL_ETNAVIV_GEM_SUBMIT	0xc0486446
DRM_IOCTL_MSM_GEM_SUBMIT	0xc0486446

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.