Bluetooth: hidp: buffer overflow in hidp_process_report (CVE-2018-9363)
This commit is contained in:
parent
f7fa757621
commit
cfd1f69cfe
|
@ -120,6 +120,7 @@ linux (4.17.15-1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* [x86] l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled
|
||||
* [x86] i8259: Add missing include file
|
||||
* Bluetooth: hidp: buffer overflow in hidp_process_report (CVE-2018-9363)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 14 Aug 2018 00:07:30 +0800
|
||||
|
||||
|
|
50
debian/patches/bugfix/all/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch
vendored
Normal file
50
debian/patches/bugfix/all/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch
vendored
Normal file
|
@ -0,0 +1,50 @@
|
|||
From: Mark Salyzyn <salyzyn@android.com>
|
||||
Date: Tue, 31 Jul 2018 15:02:13 -0700
|
||||
Subject: Bluetooth: hidp: buffer overflow in hidp_process_report
|
||||
Origin: https://git.kernel.org/linus/7992c18810e568b95c869b227137a2215702a805
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-9363
|
||||
|
||||
CVE-2018-9363
|
||||
|
||||
The buffer length is unsigned at all layers, but gets cast to int and
|
||||
checked in hidp_process_report and can lead to a buffer overflow.
|
||||
Switch len parameter to unsigned int to resolve issue.
|
||||
|
||||
This affects 3.18 and newer kernels.
|
||||
|
||||
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
|
||||
Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
|
||||
Cc: Marcel Holtmann <marcel@holtmann.org>
|
||||
Cc: Johan Hedberg <johan.hedberg@gmail.com>
|
||||
Cc: "David S. Miller" <davem@davemloft.net>
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Cc: linux-bluetooth@vger.kernel.org
|
||||
Cc: netdev@vger.kernel.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: security@kernel.org
|
||||
Cc: kernel-team@android.com
|
||||
Acked-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||
---
|
||||
net/bluetooth/hidp/core.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
|
||||
index 6f3eaf2fb94f..253975cce943 100644
|
||||
--- a/net/bluetooth/hidp/core.c
|
||||
+++ b/net/bluetooth/hidp/core.c
|
||||
@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
|
||||
del_timer(&session->timer);
|
||||
}
|
||||
|
||||
-static void hidp_process_report(struct hidp_session *session,
|
||||
- int type, const u8 *data, int len, int intr)
|
||||
+static void hidp_process_report(struct hidp_session *session, int type,
|
||||
+ const u8 *data, unsigned int len, int intr)
|
||||
{
|
||||
if (len > HID_MAX_BUFFER_SIZE)
|
||||
len = HID_MAX_BUFFER_SIZE;
|
||||
--
|
||||
2.18.0
|
||||
|
|
@ -141,6 +141,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue