Page MenuHomeFreeBSD
Differential D45707

bluetooth socket sysinit: correct memset initialization
ClosedPublic
Actions

Authored by rlibby on Jun 23 2024, 4:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 30, 11:44 PM
Unknown Object (File)
Dec 1 2024, 7:02 PM
Unknown Object (File)
Nov 25 2024, 4:05 PM
Unknown Object (File)
Oct 5 2024, 11:20 AM
Unknown Object (File)
Oct 5 2024, 11:10 AM
Unknown Object (File)
Oct 5 2024, 9:21 AM
Unknown Object (File)
Oct 3 2024, 5:47 AM
Unknown Object (File)
Sep 21 2024, 10:24 PM
View All 32 Files
Subscribers
donner
glebius
imp
melifaro

Details

Reviewers
markj
takawata
imp
Commits
rGf8a46de2dd48: bluetooth socket sysinit: correct memset initialization
Summary

gcc -Wmemset-elt-size diagnosed this. The code was only initializing
the first 1/sizeof(long) bytes. On 64-bit systems, this would mean only
events up to 0x20 were initialized.

This effectively reverses the security policy for some events with
higher ids, now permitting them on unprivileged sockets. Two that are
defined are NG_HCI_EVENT_LE (0x3e) and NG_HCI_EVENT_BT_LOGO (0xfe).

I am not familiar with this code, am not planning to test bluetooth, and
am not in any rush to commit this, I just saw that this warning appeared
to be a genuine bug. I do not know what the appropriate security policy
actually is. Please feel free to take this patch over if desired.

Test Plan

make buildkernel

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rlibby created this revision.Jun 23 2024, 4:38 PM
Herald added subscribers: glebius, melifaro, donner, imp. · View Herald TranscriptJun 23 2024, 4:38 PM
Harbormaster completed remote builds in B58316: Diff 140128.Jun 23 2024, 4:38 PM
rlibby requested review of this revision.Jun 23 2024, 4:38 PM
rlibby edited the summary of this revision. (Show Details)Jun 23 2024, 4:39 PM
rlibby edited the test plan for this revision. (Show Details)
rlibby added reviewers: markj, takawata.
markj added a comment.Jun 24 2024, 5:23 PM

Given that the next 70 lines are mostly manually setting bits in the mask, I'd err on the side of entirely removing this initialization.

rlibby added a comment.Jun 24 2024, 5:36 PM
In D45707#1042749, @markj wrote:

Given that the next 70 lines are mostly manually setting bits in the mask, I'd err on the side of entirely removing this initialization.

It's actually only the next three operations that set bits in events. f is reassigned after that. So just removing the memset would be a change to permit no events on unprivileged sockets.

I do think that using default deny and explicit allows may be safer in general, though I don't know how much evolution of events there has been.

Anyway, I'm not invested enough in this code to go research events and implement something cleaner. Would it be better just to file a bugzilla bug for this?

rlibby added a comment.Jun 28 2024, 5:05 PM

Filed https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280039

imp accepted this revision.EditedJun 30 2024, 7:26 PM

So I've taken a look at this, and it's fine.
emax@, the original BT author things its fine as well.
We should commit this.
I think just setting it all to 1s and moving on is the right thing to do. The old code is clearly wrong and the new code sets all the right bits ...

This revision is now accepted and ready to land.Jun 30 2024, 7:26 PM
Closed by commit rGf8a46de2dd48: bluetooth socket sysinit: correct memset initialization (authored by rlibby). · Explain WhyJul 1 2024, 3:25 PM
This revision was automatically updated to reflect the committed changes.
rlibby added a commit: rGf8a46de2dd48: bluetooth socket sysinit: correct memset initialization.

Revision Contents
Changeset List

PathSize
sys/
netgraph/
bluetooth/
socket/
3 lines

Diff 140432

View Options

sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c

Loading...