diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-intel/CVE-2018-9363.patch | 56 |
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 530ea31..2b8d8d9 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend | |||
@@ -11,6 +11,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s | |||
11 | file://CVE-2018-13093.patch \ | 11 | file://CVE-2018-13093.patch \ |
12 | file://CVE-2018-13094.patch \ | 12 | file://CVE-2018-13094.patch \ |
13 | file://CVE-2018-15572.patch \ | 13 | file://CVE-2018-15572.patch \ |
14 | file://CVE-2018-9363.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||
16 | # Debug tools support | 17 | # Debug tools support |
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch new file mode 100644 index 0000000..45a02d7 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 6e2c702e797c25b49dac3a9f663c449f30cf8efc Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Salyzyn <salyzyn@android.com> | ||
3 | Date: Tue, 31 Jul 2018 15:02:13 -0700 | ||
4 | Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report | ||
5 | |||
6 | commit 7992c18810e568b95c869b227137a2215702a805 upstream. | ||
7 | |||
8 | CVE-2018-9363 | ||
9 | |||
10 | The buffer length is unsigned at all layers, but gets cast to int and | ||
11 | checked in hidp_process_report and can lead to a buffer overflow. | ||
12 | Switch len parameter to unsigned int to resolve issue. | ||
13 | |||
14 | This affects 3.18 and newer kernels. | ||
15 | |||
16 | CVE: CVE-2018-9363 | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Mark Salyzyn <salyzyn@android.com> | ||
20 | Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") | ||
21 | Cc: Marcel Holtmann <marcel@holtmann.org> | ||
22 | Cc: Johan Hedberg <johan.hedberg@gmail.com> | ||
23 | Cc: "David S. Miller" <davem@davemloft.net> | ||
24 | Cc: Kees Cook <keescook@chromium.org> | ||
25 | Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> | ||
26 | Cc: linux-bluetooth@vger.kernel.org | ||
27 | Cc: netdev@vger.kernel.org | ||
28 | Cc: linux-kernel@vger.kernel.org | ||
29 | Cc: security@kernel.org | ||
30 | Cc: kernel-team@android.com | ||
31 | Acked-by: Kees Cook <keescook@chromium.org> | ||
32 | Signed-off-by: Marcel Holtmann <marcel@holtmann.org> | ||
33 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | net/bluetooth/hidp/core.c | 4 ++-- | ||
37 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
38 | |||
39 | diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c | ||
40 | index 8112893..cef3754 100644 | ||
41 | --- a/net/bluetooth/hidp/core.c | ||
42 | +++ b/net/bluetooth/hidp/core.c | ||
43 | @@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) | ||
44 | del_timer(&session->timer); | ||
45 | } | ||
46 | |||
47 | -static void hidp_process_report(struct hidp_session *session, | ||
48 | - int type, const u8 *data, int len, int intr) | ||
49 | +static void hidp_process_report(struct hidp_session *session, int type, | ||
50 | + const u8 *data, unsigned int len, int intr) | ||
51 | { | ||
52 | if (len > HID_MAX_BUFFER_SIZE) | ||
53 | len = HID_MAX_BUFFER_SIZE; | ||
54 | -- | ||
55 | 1.9.1 | ||
56 | |||