diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-15 10:26:14 +0200 |
|---|---|---|
| committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-16 17:40:26 +0200 |
| commit | a706636a8a960796d819bb6471863a894f1943bf (patch) | |
| tree | 84920a1200cf580c756693bf04d196db9c713c0a /patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | |
| parent | fef7211bf4e231920db714db7e298bcbaa9dad1f (diff) | |
| download | enea-kernel-cache-a706636a8a960796d819bb6471863a894f1943bf.tar.gz | |
hidp: CVE-2018-9363:
hidp: buffer overflow in hidp_process_report
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7c7940ffbaefdbb189f78a48b4e64b6f268b1dbf
Change-Id: If99e8c0371ad692696a19c97f11cac0b7f630919
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat (limited to 'patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch')
| -rw-r--r-- | patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch b/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch new file mode 100644 index 0000000..4c6ce81 --- /dev/null +++ b/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | |||
| @@ -0,0 +1,51 @@ | |||
| 1 | From 7992c18810e568b95c869b227137a2215702a805 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mark Salyzyn <salyzyn@android.com> | ||
| 3 | Date: Tue, 31 Jul 2018 15:02:13 -0700 | ||
| 4 | Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report | ||
| 5 | |||
| 6 | The buffer length is unsigned at all layers, but gets cast to int and | ||
| 7 | checked in hidp_process_report and can lead to a buffer overflow. | ||
| 8 | Switch len parameter to unsigned int to resolve issue. | ||
| 9 | |||
| 10 | This affects 3.18 and newer kernels. | ||
| 11 | |||
| 12 | CVE-2018-9363 | ||
| 13 | Upstream-Status: Backport | ||
| 14 | |||
| 15 | Signed-off-by: Mark Salyzyn <salyzyn@android.com> | ||
| 16 | Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") | ||
| 17 | Cc: Marcel Holtmann <marcel@holtmann.org> | ||
| 18 | Cc: Johan Hedberg <johan.hedberg@gmail.com> | ||
| 19 | Cc: "David S. Miller" <davem@davemloft.net> | ||
| 20 | Cc: Kees Cook <keescook@chromium.org> | ||
| 21 | Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
| 22 | Cc: linux-bluetooth@vger.kernel.org | ||
| 23 | Cc: netdev@vger.kernel.org | ||
| 24 | Cc: linux-kernel@vger.kernel.org | ||
| 25 | Cc: security@kernel.org | ||
| 26 | Cc: kernel-team@android.com | ||
| 27 | Acked-by: Kees Cook <keescook@chromium.org> | ||
| 28 | Signed-off-by: Marcel Holtmann <marcel@holtmann.org> | ||
| 29 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 30 | --- | ||
| 31 | net/bluetooth/hidp/core.c | 4 ++-- | ||
| 32 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c | ||
| 35 | index 6f3eaf2..253975c 100644 | ||
| 36 | --- a/net/bluetooth/hidp/core.c | ||
| 37 | +++ b/net/bluetooth/hidp/core.c | ||
| 38 | @@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) | ||
| 39 | del_timer(&session->timer); | ||
| 40 | } | ||
| 41 | |||
| 42 | -static void hidp_process_report(struct hidp_session *session, | ||
| 43 | - int type, const u8 *data, int len, int intr) | ||
| 44 | +static void hidp_process_report(struct hidp_session *session, int type, | ||
| 45 | + const u8 *data, unsigned int len, int intr) | ||
| 46 | { | ||
| 47 | if (len > HID_MAX_BUFFER_SIZE) | ||
| 48 | len = HID_MAX_BUFFER_SIZE; | ||
| 49 | -- | ||
| 50 | 2.7.4 | ||
| 51 | |||