35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From: Young Xiao <YangX92@hotmail.com>
|
|
Date: Fri, 12 Apr 2019 15:24:30 +0800
|
|
Subject: Bluetooth: hidp: fix buffer overflow
|
|
Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884
|
|
|
|
Struct ca is copied from userspace. It is not checked whether the "name"
|
|
field is NULL terminated, which allows local users to obtain potentially
|
|
sensitive information from kernel stack memory, via a HIDPCONNADD command.
|
|
|
|
This vulnerability is similar to CVE-2011-1079.
|
|
|
|
Signed-off-by: Young Xiao <YangX92@hotmail.com>
|
|
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
Cc: stable@vger.kernel.org
|
|
---
|
|
net/bluetooth/hidp/sock.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
|
|
index 9f85a1943be9..2151913892ce 100644
|
|
--- a/net/bluetooth/hidp/sock.c
|
|
+++ b/net/bluetooth/hidp/sock.c
|
|
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
|
|
sockfd_put(csock);
|
|
return err;
|
|
}
|
|
+ ca.name[sizeof(ca.name)-1] = 0;
|
|
|
|
err = hidp_connection_add(&ca, csock, isock);
|
|
if (!err && copy_to_user(argp, &ca, sizeof(ca)))
|
|
--
|
|
2.20.1
|
|
|