Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
This commit is contained in:
parent
8910626bca
commit
3b44df1499
|
@ -18,6 +18,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
|
||||||
(CVE-2019-9503)
|
(CVE-2019-9503)
|
||||||
* ext4: zero out the unused memory region in the extent tree block
|
* ext4: zero out the unused memory region in the extent tree block
|
||||||
(CVE-2019-11833)
|
(CVE-2019-11833)
|
||||||
|
* Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
From: Young Xiao <YangX92@hotmail.com>
|
||||||
|
Date: Fri, 12 Apr 2019 15:24:30 +0800
|
||||||
|
Subject: Bluetooth: hidp: fix buffer overflow
|
||||||
|
Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884
|
||||||
|
|
||||||
|
Struct ca is copied from userspace. It is not checked whether the "name"
|
||||||
|
field is NULL terminated, which allows local users to obtain potentially
|
||||||
|
sensitive information from kernel stack memory, via a HIDPCONNADD command.
|
||||||
|
|
||||||
|
This vulnerability is similar to CVE-2011-1079.
|
||||||
|
|
||||||
|
Signed-off-by: Young Xiao <YangX92@hotmail.com>
|
||||||
|
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
---
|
||||||
|
net/bluetooth/hidp/sock.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
|
||||||
|
index 9f85a1943be9..2151913892ce 100644
|
||||||
|
--- a/net/bluetooth/hidp/sock.c
|
||||||
|
+++ b/net/bluetooth/hidp/sock.c
|
||||||
|
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
|
||||||
|
sockfd_put(csock);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
+ ca.name[sizeof(ca.name)-1] = 0;
|
||||||
|
|
||||||
|
err = hidp_connection_add(&ca, csock, isock);
|
||||||
|
if (!err && copy_to_user(argp, &ca, sizeof(ca)))
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
|
@ -215,6 +215,7 @@ bugfix/all/spec/powerpc-64s-include-cpu-header.patch
|
||||||
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
|
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
|
||||||
bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
|
bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
|
||||||
bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
|
bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
|
||||||
|
bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue