Re: [PATCH v5.10-v5.15] Bluetooth: RFCOMM: Fix not validating setsockopt user input

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: a97de7bff13b1cc825c1b1344eaed8d6c2d3e695

WARNING: Author mismatch between patch and upstream commit: Backport author: Keerthana Kkeerthana.kalyanasundaram@broadcom.com Commit author: Luiz Augusto von Dentzluiz.von.dentz@intel.com

Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 4ea65e2095e9) 6.1.y | Present (different SHA1: eea40d33bf93) 5.15.y | Not found

Note: The patch differs from the upstream commit: --- 1: a97de7bff13b1 ! 1: 8599b21ee1809 Bluetooth: RFCOMM: Fix not validating setsockopt user input @@ Metadata ## Commit message ## Bluetooth: RFCOMM: Fix not validating setsockopt user input

+ [ Upstream commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 ] + syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length.

@@ Commit message Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: Eric Dumazet edumazet@google.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com + Signed-off-by: Sasha Levin sashal@kernel.org + Signed-off-by: Keerthana K keerthana.kalyanasundaram@broadcom.com

## net/bluetooth/rfcomm/sock.c ## @@ net/bluetooth/rfcomm/sock.c: static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Failed | | stable/linux-5.10.y | Success | Success |

Build Errors: Build error for stable/linux-5.15.y: net/bluetooth/rfcomm/sock.c: In function 'rfcomm_sock_setsockopt_old': net/bluetooth/rfcomm/sock.c:639:21: error: implicit declaration of function 'bt_copy_from_sockptr'; did you mean 'copy_from_sockptr'? [-Werror=implicit-function-declaration] 639 | if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { | ^~~~~~~~~~~~~~~~~~~~ | copy_from_sockptr cc1: some warnings being treated as errors make[3]: *** [scripts/Makefile.build:289: net/bluetooth/rfcomm/sock.o] Error 1 make[3]: Target '__build' not remade because of errors. make[2]: *** [scripts/Makefile.build:552: net/bluetooth/rfcomm] Error 2 make[2]: Target '__build' not remade because of errors. make[1]: *** [scripts/Makefile.build:552: net/bluetooth] Error 2 make[1]: Target '__build' not remade because of errors. make: *** [Makefile:1906: net] Error 2 make: Target '__all' not remade because of errors.