From e5105c1a35907089dd13c0783ee5940106046896 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 20 Sep 2018 09:45:19 +0200 Subject: linux-intel-rt: Fix for CVE-2018-9363 References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-9363 Change-Id: I6c93f124c5ddfac6de11f62b943fea255513c8a3 Signed-off-by: Sona Sarmadi --- recipes-kernel/linux/linux-intel-rt_4.14.bbappend | 1 + .../linux/linux-intel/CVE-2018-9363.patch | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 recipes-kernel/linux/linux-intel/CVE-2018-9363.patch diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index 530ea31..2b8d8d9 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend @@ -11,6 +11,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s file://CVE-2018-13093.patch \ file://CVE-2018-13094.patch \ file://CVE-2018-15572.patch \ + file://CVE-2018-9363.patch \ " # Debug tools support diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch new file mode 100644 index 0000000..45a02d7 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-9363.patch @@ -0,0 +1,56 @@ +From 6e2c702e797c25b49dac3a9f663c449f30cf8efc Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn +Date: Tue, 31 Jul 2018 15:02:13 -0700 +Subject: [PATCH] Bluetooth: hidp: buffer overflow in hidp_process_report + +commit 7992c18810e568b95c869b227137a2215702a805 upstream. + +CVE-2018-9363 + +The buffer length is unsigned at all layers, but gets cast to int and +checked in hidp_process_report and can lead to a buffer overflow. +Switch len parameter to unsigned int to resolve issue. + +This affects 3.18 and newer kernels. + +CVE: CVE-2018-9363 +Upstream-Status: Backport + +Signed-off-by: Mark Salyzyn +Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") +Cc: Marcel Holtmann +Cc: Johan Hedberg +Cc: "David S. Miller" +Cc: Kees Cook +Cc: Benjamin Tissoires +Cc: linux-bluetooth@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: security@kernel.org +Cc: kernel-team@android.com +Acked-by: Kees Cook +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/bluetooth/hidp/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 8112893..cef3754 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) + del_timer(&session->timer); + } + +-static void hidp_process_report(struct hidp_session *session, +- int type, const u8 *data, int len, int intr) ++static void hidp_process_report(struct hidp_session *session, int type, ++ const u8 *data, unsigned int len, int intr) + { + if (len > HID_MAX_BUFFER_SIZE) + len = HID_MAX_BUFFER_SIZE; +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf