From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-35967: Bluetooth: SCO: Fix not validating setsockopt user input

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix not validating setsockopt user input

syzbot reported sco_sock_setsockopt() is copying data without
checking user input length.

BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90
net/bluetooth/sco.c:893
Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578

The Linux kernel CVE team has assigned CVE-2024-35967 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.8 with commit b96e9c671b05 and fixed in 5.10.216 with commit b0e30c37695b
	Issue introduced in 3.8 with commit b96e9c671b05 and fixed in 6.1.87 with commit 7bc65d23ba20
	Issue introduced in 3.8 with commit b96e9c671b05 and fixed in 6.6.28 with commit 72473db90900
	Issue introduced in 3.8 with commit b96e9c671b05 and fixed in 6.8.7 with commit 419a0ffca701
	Issue introduced in 3.8 with commit b96e9c671b05 and fixed in 6.9 with commit 51eda36d33e4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35967
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/net/bluetooth/bluetooth.h
	net/bluetooth/sco.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce
	https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315
	https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c
	https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7
	https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01