Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
This commit is contained in:
parent
8910626bca
commit
3b44df1499
|
@ -18,6 +18,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
|
|||
(CVE-2019-9503)
|
||||
* ext4: zero out the unused memory region in the extent tree block
|
||||
(CVE-2019-11833)
|
||||
* Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
|
||||
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
From: Young Xiao <YangX92@hotmail.com>
|
||||
Date: Fri, 12 Apr 2019 15:24:30 +0800
|
||||
Subject: Bluetooth: hidp: fix buffer overflow
|
||||
Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884
|
||||
|
||||
Struct ca is copied from userspace. It is not checked whether the "name"
|
||||
field is NULL terminated, which allows local users to obtain potentially
|
||||
sensitive information from kernel stack memory, via a HIDPCONNADD command.
|
||||
|
||||
This vulnerability is similar to CVE-2011-1079.
|
||||
|
||||
Signed-off-by: Young Xiao <YangX92@hotmail.com>
|
||||
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
net/bluetooth/hidp/sock.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
|
||||
index 9f85a1943be9..2151913892ce 100644
|
||||
--- a/net/bluetooth/hidp/sock.c
|
||||
+++ b/net/bluetooth/hidp/sock.c
|
||||
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
|
||||
sockfd_put(csock);
|
||||
return err;
|
||||
}
|
||||
+ ca.name[sizeof(ca.name)-1] = 0;
|
||||
|
||||
err = hidp_connection_add(&ca, csock, isock);
|
||||
if (!err && copy_to_user(argp, &ca, sizeof(ca)))
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -215,6 +215,7 @@ bugfix/all/spec/powerpc-64s-include-cpu-header.patch
|
|||
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
|
||||
bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
|
||||
bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
|
||||
bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue