diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:55:59 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:55:59 +0200 |
commit | 9678bba6586cdfe681cc809b3f4627d11473c23d (patch) | |
tree | d7d7831a5c97778eab23e22df613d27c1ab59295 | |
parent | c9c86492f9d5d36b35caffe638763cb0f84c7e63 (diff) | |
download | enea-kernel-cache-9678bba6586cdfe681cc809b3f4627d11473c23d.tar.gz |
Bluetooth: CVE-2018-9363
Bluetooth: hidp: buffer overflow in hidp_process_report
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7c7940ffbaefdbb189f78a48b4e64b6f268b1dbf
Change-Id: Iae82c91e3bf742713e2feaf01abf1554b762ec72
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | 53 |
2 files changed, 56 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 10999ce..7aec14a 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -27,3 +27,6 @@ SRC_URI += "file://CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically | |||
27 | 27 | ||
28 | #CVEs fixed in 4.9.116: | 28 | #CVEs fixed in 4.9.116: |
29 | SRC_URI += "file://CVE-2018-5390-tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch" | 29 | SRC_URI += "file://CVE-2018-5390-tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch" |
30 | |||
31 | #CVEs fixed in 4.9.121: | ||
32 | SRC_URI += "file://CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch" | ||
diff --git a/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch b/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch new file mode 100644 index 0000000..d0b1d92 --- /dev/null +++ b/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 7c7940ffbaefdbb189f78a48b4e64b6f268b1dbf Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Salyzyn <salyzyn@android.com> | ||
3 | Date: Tue, 31 Jul 2018 15:02:13 -0700 | ||
4 | Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report | ||
5 | |||
6 | commit 7992c18810e568b95c869b227137a2215702a805 upstream. | ||
7 | |||
8 | The buffer length is unsigned at all layers, but gets cast to int and | ||
9 | checked in hidp_process_report and can lead to a buffer overflow. | ||
10 | Switch len parameter to unsigned int to resolve issue. | ||
11 | |||
12 | This affects 3.18 and newer kernels. | ||
13 | |||
14 | CVE: CVE-2018-9363 | ||
15 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7c7940ffbaefdbb189f78a48b4e64b6f268b1dbf] | ||
16 | |||
17 | Signed-off-by: Mark Salyzyn <salyzyn@android.com> | ||
18 | Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") | ||
19 | Cc: Marcel Holtmann <marcel@holtmann.org> | ||
20 | Cc: Johan Hedberg <johan.hedberg@gmail.com> | ||
21 | Cc: "David S. Miller" <davem@davemloft.net> | ||
22 | Cc: Kees Cook <keescook@chromium.org> | ||
23 | Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
24 | Cc: linux-bluetooth@vger.kernel.org | ||
25 | Cc: netdev@vger.kernel.org | ||
26 | Cc: linux-kernel@vger.kernel.org | ||
27 | Cc: security@kernel.org | ||
28 | Cc: kernel-team@android.com | ||
29 | Acked-by: Kees Cook <keescook@chromium.org> | ||
30 | Signed-off-by: Marcel Holtmann <marcel@holtmann.org> | ||
31 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
32 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
33 | --- | ||
34 | net/bluetooth/hidp/core.c | 4 ++-- | ||
35 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
36 | |||
37 | diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c | ||
38 | index 1fc076420d1e..1811f8e7ddf4 100644 | ||
39 | --- a/net/bluetooth/hidp/core.c | ||
40 | +++ b/net/bluetooth/hidp/core.c | ||
41 | @@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) | ||
42 | del_timer(&session->timer); | ||
43 | } | ||
44 | |||
45 | -static void hidp_process_report(struct hidp_session *session, | ||
46 | - int type, const u8 *data, int len, int intr) | ||
47 | +static void hidp_process_report(struct hidp_session *session, int type, | ||
48 | + const u8 *data, unsigned int len, int intr) | ||
49 | { | ||
50 | if (len > HID_MAX_BUFFER_SIZE) | ||
51 | len = HID_MAX_BUFFER_SIZE; | ||
52 | |||
53 | |||