Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

[Ruihan Li <lrh2000 () pku edu cn>]

Hi Solar Designer,

> Thank you Ruihan Li for finding and handling this vulnerability so well,
> and for the detailed write-up.
>
> When discussing this on linux-distros a week ago, I wrote:

Also thanks to all the people at linux-distro and s@k.o who helped to
improve the final disclosure and patches.

> OTOH, not all distros are typical.  Besides Android, we got rid of all
> SUID binaries in default install of Owl over a decade ago.  While Owl is
> now effectively EOL'ed, some of its legacy lives on in ALT Linux
> distros, which are maintained, and other distros can do similar - it's
> primarily a matter of caring to do it or not.  We did not package sudo
> in Owl, but if someone were to install it then it'd be the only program
> exposing this kernel vulnerability.  So in that case, hardening sudo
> would have helped.

That's good to know. I was wondering if there were distros that did not
have setuid binaries, which was why I said only ``a number of distros''
were vulnerable.

For Steffen Nurpmeso wrote earlier:
> I wonder -- have you verified that they do not use isatty(3) aka
> some tc*() series *first*?  The above with sudo does for example
> not reveal anything as shown, roght?  FD 2 seems to be a terminal,
> .. and whereas i do not have sudo src here, i am sure it uses
> isatty(3) and tcgetattr(3).

I just noticed that sudo added the isatty check a day ago (April 17th)
[1]. I think this change was inspired by this vulnerability, wasn't it?
However, as Jakub Wilk pointed out, isatty is still implemented by an
ioctl call, so the addition of this check has nothing to do with this
vulnerability. Nevertheless, it is still a good idea to make sure isatty
succeeds before using ioctl calls with other (perhaps more complex and
arbitrary) tty commands.

[1]: https://github.com/sudo-project/sudo/commit/5650b436e6ba20807758a4154e709c10c1c87be8 

Thanks,
Ruihan Li