Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

[0xef967c36 () gmail com]

On Tue, Apr 18, 2023 at 05:40:16PM +0200, Solar Designer wrote:
> BTW, even with the kernel bug fixed, there are ioctl number clashes
> between different devices, so even e.g. isatty(3) is not necessarily
> safe if called with elevated privileges under a possible confused deputy
> scenario.  Here's strace showing some clashes on older Linux/i386:
>
> $ cat isatty.c
> int main(void) { return isatty(0); }
> $ gcc isatty.c -o isatty
> $ strace -e ioctl ./isatty
> ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0

No, there's no clash. That was a bug in strace (fortunately fixed in
newer versions).

Those values macros are different; and they were ALWAYS different.

> IIRC, I was the one to add this feature to strace 20+ years ago:
>
> * Sat Jun 08 2002 Solar Designer <solar-at-owl.openwall.com>
> - Updated to today's CVS version (post-4.4) with an additional fix for
> displaying all possible ioctl names when there's more than one match,
>
> So the number clashes were known, but the security relevance maybe not.

There was no number clash. That 'foo or bar or quux' "fix" in strace
was stupid.

$ cc -xc - <<EOT && ./a.out
#include <sys/ioctl.h>
#include <linux/soundcard.h>
#include <sound/asound.h>
#include <stdio.h>

int main(int ac, char **av){
     printf("%#lx %#lx %#x\n", SNDCTL_TMR_TIMEBASE, SNDRV_TIMER_IOCTL_NEXT_DEVICE, TCGETS);
    return 0;
}
EOT
0xc0045401 0xc0145401 0x5401