From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C6EEC04AB1 for ; Thu, 9 May 2019 18:45:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5BE842183F for ; Thu, 9 May 2019 18:45:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557427518; bh=m5v/VQDEu53kIn8smOqM7gN/gtLhfkr4W9EBM+BYU1s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ZjCjbx45jjqAVCYJR6r1eEiJSRezHWOMi6AdiUvzURpr+y44Rcm0Gco056HVl/haj jKquCVxu4gEhnjRW23+Y2Qmo+Omai1zI/f3dTSONzAUlVlS6aTyIZFRZh+gwkzbv86 Mb1OglXzUHDpjJyOd5ESQiAMoxJX0k7DjobzswTY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727294AbfEISpR (ORCPT ); Thu, 9 May 2019 14:45:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:36822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727269AbfEISpI (ORCPT ); Thu, 9 May 2019 14:45:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 25312217F9; Thu, 9 May 2019 18:45:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557427507; bh=m5v/VQDEu53kIn8smOqM7gN/gtLhfkr4W9EBM+BYU1s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MpzpTdOZIEM+pXsSPqaoE8MuzT52iDto1imwWBJsUsm3UdGVAsMmMJ4tAqRe5hlLX 1uMdr8ciAJSORsVP7Dp3qtffRXA5+zD3jWkt+MoQ+WS3tA93QjG83s5GsK1QfPpMQD JQ4mERKwKgGdIsqN5RE+mlXXgRJRILxErrD+isYo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Young Xiao , Marcel Holtmann Subject: [PATCH 4.9 24/28] Bluetooth: hidp: fix buffer overflow Date: Thu, 9 May 2019 20:42:16 +0200 Message-Id: <20190509181255.392576707@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190509181247.647767531@linuxfoundation.org> References: <20190509181247.647767531@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Young Xiao commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hidp/sock.c | 1 + 1 file changed, 1 insertion(+) --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))