Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)

2019-06-07 15:24:58 +02:00 · 2019-06-07 15:24:58 +02:00 · 3b44df1499
parent 8910626bca
commit 3b44df1499
3 changed files with 36 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -18,6 +18,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
    (CVE-2019-9503)
  * ext4: zero out the unused memory region in the extent tree block
    (CVE-2019-11833)
+  * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)

 -- Ben Hutchings <ben@decadent.org.uk>  Sun, 19 May 2019 00:04:16 +0100

--- a/debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
+++ b/debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
@ -0,0 +1,34 @@
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:24:30 +0800
+Subject: Bluetooth: hidp: fix buffer overflow
+Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884
+
+Struct ca is copied from userspace. It is not checked whether the "name"
+field is NULL terminated, which allows local users to obtain potentially
+sensitive information from kernel stack memory, via a HIDPCONNADD command.
+
+This vulnerability is similar to CVE-2011-1079.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+---
+ net/bluetooth/hidp/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
+index 9f85a1943be9..2151913892ce 100644
+--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
+@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
+ 			sockfd_put(csock);
+ 			return err;
+ 		}
+		ca.name[sizeof(ca.name)-1] = 0;
+ 
+ 		err = hidp_connection_add(&ca, csock, isock);
+ 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))
+-- 
+2.20.1
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -215,6 +215,7 @@ bugfix/all/spec/powerpc-64s-include-cpu-header.patch
 bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
 bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
 bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
+bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch