From fc12fa543f19be12b76f55f0a854351c1f030405 Mon Sep 17 00:00:00 2001 From: Adrian Dudau Date: Thu, 11 Oct 2018 16:33:28 +0200 Subject: Revert "hidp: CVE-2018-9363" This reverts commit d241ce35c9e2820922b9c85382db096723dcb13d. Patch was applied against the wrong baseline, needs to be reworked. Change-Id: Ic282acf6aa440b07e6e4420be17956ac96cc586e --- patches/cve/4.9.x.scc | 11 ----- ...idp-buffer-overflow-in-hidp_process_repor.patch | 53 ---------------------- 2 files changed, 64 deletions(-) delete mode 100644 patches/cve/4.9.x.scc delete mode 100644 patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc deleted file mode 100644 index a296f8e..0000000 --- a/patches/cve/4.9.x.scc +++ /dev/null @@ -1,11 +0,0 @@ -#CVEs fixed in 4.9.117: -patch CVE-2018-14734-infiniband-fix-a-possible-use-after-free-bug.patch - -#CVEs fixed in 4.9.119: -patch CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch - -#CVEs fixed in 4.9.120: -patch CVE-2018-15572-x86-speculation-Protect-against-userspace-userspace-.patch - -#CVEs fixed in 4.9.121: -patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch diff --git a/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch b/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch deleted file mode 100644 index 8ebf70f..0000000 --- a/patches/cve/CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7992c18810e568b95c869b227137a2215702a805 Mon Sep 17 00:00:00 2001 -From: Mark Salyzyn -Date: Tue, 31 Jul 2018 15:02:13 -0700 -Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report - -CVE-2018-9363 - -The buffer length is unsigned at all layers, but gets cast to int and -checked in hidp_process_report and can lead to a buffer overflow. -Switch len parameter to unsigned int to resolve issue. - -This affects 3.18 and newer kernels. - -CVE: CVE-2018-9363 -Upstream-Status: Backport - -Signed-off-by: Mark Salyzyn -Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") -Cc: Marcel Holtmann -Cc: Johan Hedberg -Cc: "David S. Miller" -Cc: Kees Cook -Cc: Benjamin Tissoires -Cc: linux-bluetooth@vger.kernel.org -Cc: netdev@vger.kernel.org -Cc: linux-kernel@vger.kernel.org -Cc: security@kernel.org -Cc: kernel-team@android.com -Acked-by: Kees Cook -Signed-off-by: Marcel Holtmann -Signed-off-by: Andreas Wellving ---- - net/bluetooth/hidp/core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c -index 6f3eaf2..253975c 100644 ---- a/net/bluetooth/hidp/core.c -+++ b/net/bluetooth/hidp/core.c -@@ -431,9 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) - del_timer(&session->timer); - } - --static void hidp_process_report(struct hidp_session *session, -- int type, const u8 *data, int len, int intr) -+static void hidp_process_report(struct hidp_session *session, int type, -+ const u8 *data, unsigned int len, int intr) - { - if (len > HID_MAX_BUFFER_SIZE) - len = HID_MAX_BUFFER_SIZE; --- - - -- cgit v1.2.3-54-g00ecf