linux-intel-rt: Fix for CVE-2018-9363

References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-9363 Change-Id: I6c93f124c5ddfac6de11f62b943fea255513c8a3 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2018-09-20 09:45:19 +0200
committer: Martin Borg <martin.borg@enea.com> 2018-09-21 14:42:26 +0200
commit: e5105c1a35907089dd13c0783ee5940106046896 (patch)
tree: ee94e601cb4fd951a30b00f2a90a921523af1c74
parent: 7954c83819f78fd8baf68615d592eb0886a8af65 (diff)
download: meta-enea-bsp-x86-e5105c1a35907089dd13c0783ee5940106046896.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index 530ea31..2b8d8d9 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -11,6 +11,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
                   file://CVE-2018-13093.patch \
                   file://CVE-2018-13094.patch \
                   file://CVE-2018-15572.patch \
+                   file://CVE-2018-9363.patch \
                 "
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch
new file mode 100644
index 0000000..45a02d7
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch
@@ -0,0 +1,56 @@
+From 6e2c702e797c25b49dac3a9f663c449f30cf8efc Mon Sep 17 00:00:00 2001
+From: Mark Salyzyn <salyzyn@android.com>
+Date: Tue, 31 Jul 2018 15:02:13 -0700
+Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report
+commit 7992c18810e568b95c869b227137a2215702a805 upstream.
+CVE-2018-9363
+The buffer length is unsigned at all layers, but gets cast to int and
+checked in hidp_process_report and can lead to a buffer overflow.
+Switch len parameter to unsigned int to resolve issue.
+This affects 3.18 and newer kernels.
+CVE: CVE-2018-9363
+Upstream-Status: Backport
+Signed-off-by: Mark Salyzyn <salyzyn@android.com>
+Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: linux-bluetooth@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: security@kernel.org
+Cc: kernel-team@android.com
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/bluetooth/hidp/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 8112893..cef3754 100644
+--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
+@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
+                del_timer(&session->timer);
+ }
+ 
+-static void hidp_process_report(struct hidp_session *session,
+-                               int type, const u8 *data, int len, int intr)
+static void hidp_process_report(struct hidp_session *session, int type,
+                               const u8 *data, unsigned int len, int intr)
+ {
+        if (len > HID_MAX_BUFFER_SIZE)
+                len = HID_MAX_BUFFER_SIZE;
+-- 
+1.9.1
author	Sona Sarmadi <sona.sarmadi@enea.com>	2018-09-20 09:45:19 +0200
committer	Martin Borg <martin.borg@enea.com>	2018-09-21 14:42:26 +0200
commit	e5105c1a35907089dd13c0783ee5940106046896 (patch)
tree	ee94e601cb4fd951a30b00f2a90a921523af1c74
parent	7954c83819f78fd8baf68615d592eb0886a8af65 (diff)
download	meta-enea-bsp-x86-e5105c1a35907089dd13c0783ee5940106046896.tar.gz

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 530ea31..2b8d8d9 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -11,6 +11,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
11	file://CVE-2018-13093.patch \	11	file://CVE-2018-13093.patch \
12	file://CVE-2018-13094.patch \	12	file://CVE-2018-13094.patch \
13	file://CVE-2018-15572.patch \	13	file://CVE-2018-15572.patch \
		14	file://CVE-2018-9363.patch \
14	"	15	"
15		16
16	# Debug tools support	17	# Debug tools support


diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch new file mode 100644 index 0000000..45a02d7 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch
@@ -0,0 +1,56 @@
		1	From 6e2c702e797c25b49dac3a9f663c449f30cf8efc Mon Sep 17 00:00:00 2001
		2	From: Mark Salyzyn <salyzyn@android.com>
		3	Date: Tue, 31 Jul 2018 15:02:13 -0700
		4	Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report
		5
		6	commit 7992c18810e568b95c869b227137a2215702a805 upstream.
		7
		8	CVE-2018-9363
		9
		10	The buffer length is unsigned at all layers, but gets cast to int and
		11	checked in hidp_process_report and can lead to a buffer overflow.
		12	Switch len parameter to unsigned int to resolve issue.
		13
		14	This affects 3.18 and newer kernels.
		15
		16	CVE: CVE-2018-9363
		17	Upstream-Status: Backport
		18
		19	Signed-off-by: Mark Salyzyn <salyzyn@android.com>
		20	Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
		21	Cc: Marcel Holtmann <marcel@holtmann.org>
		22	Cc: Johan Hedberg <johan.hedberg@gmail.com>
		23	Cc: "David S. Miller" <davem@davemloft.net>
		24	Cc: Kees Cook <keescook@chromium.org>
		25	Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
		26	Cc: linux-bluetooth@vger.kernel.org
		27	Cc: netdev@vger.kernel.org
		28	Cc: linux-kernel@vger.kernel.org
		29	Cc: security@kernel.org
		30	Cc: kernel-team@android.com
		31	Acked-by: Kees Cook <keescook@chromium.org>
		32	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
		33	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		34	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		35	---
		36	net/bluetooth/hidp/core.c \| 4 ++--
		37	1 file changed, 2 insertions(+), 2 deletions(-)
		38
		39	diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
		40	index 8112893..cef3754 100644
		41	--- a/net/bluetooth/hidp/core.c
		42	+++ b/net/bluetooth/hidp/core.c
		43	@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
		44	del_timer(&session->timer);
		45	}
		46
		47	-static void hidp_process_report(struct hidp_session *session,
		48	- int type, const u8 *data, int len, int intr)
		49	+static void hidp_process_report(struct hidp_session *session, int type,
		50	+ const u8 *data, unsigned int len, int intr)
		51	{
		52	if (len > HID_MAX_BUFFER_SIZE)
		53	len = HID_MAX_BUFFER_SIZE;
		54	--
		55	1.9.1
		56