From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Young Xiao <YangX92@hotmail.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 5.1 22/30] Bluetooth: hidp: fix buffer overflow
Date: Thu, 9 May 2019 20:42:54 +0200 [thread overview]
Message-ID: <20190509181255.716544204@linuxfoundation.org> (raw)
In-Reply-To: <20190509181250.417203112@linuxfoundation.org>
From: Young Xiao <YangX92@hotmail.com>
commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.
This vulnerability is similar to CVE-2011-1079.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hidp/sock.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct soc
sockfd_put(csock);
return err;
}
+ ca.name[sizeof(ca.name)-1] = 0;
err = hidp_connection_add(&ca, csock, isock);
if (!err && copy_to_user(argp, &ca, sizeof(ca)))
next prev parent reply other threads:[~2019-05-09 18:56 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-09 18:42 [PATCH 5.1 00/30] 5.1.1-stable review Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 01/30] Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 02/30] ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 03/30] staging: greybus: power_supply: fix prop-descriptor request size Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 04/30] staging: wilc1000: Avoid GFP_KERNEL allocation from atomic context Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 05/30] staging: most: cdev: fix chrdev_region leak in mod_exit Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 06/30] staging: most: sound: pass correct device when creating a sound card Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 07/30] usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 08/30] usb: dwc3: Fix default lpm_nyet_threshold value Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 09/30] USB: serial: f81232: fix interrupt worker not stop Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 10/30] USB: cdc-acm: fix unthrottle races Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 11/30] usb-storage: Set virt_boundary_mask to avoid SG overflows Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 12/30] genirq: Prevent use-after-free and work list corruption Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 13/30] intel_th: pci: Add Comet Lake support Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 14/30] iio: adc: qcom-spmi-adc5: Fix of-based module autoloading Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 15/30] cpufreq: armada-37xx: fix frequency calculation for opp Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 16/30] ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 17/30] soc: sunxi: Fix missing dependency on REGMAP_MMIO Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 18/30] scsi: lpfc: change snprintf to scnprintf for possible overflow Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 19/30] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 20/30] scsi: qla2xxx: Set remote port devloss timeout to 0 Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 21/30] scsi: qla2xxx: Fix device staying in blocked state Greg Kroah-Hartman
2019-05-09 18:42 ` Greg Kroah-Hartman [this message]
2019-05-09 18:42 ` [PATCH 5.1 23/30] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 24/30] Bluetooth: Fix not initializing L2CAP tx_credits Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 25/30] Bluetooth: hci_bcm: Fix empty regulator supplies for Intel Macs Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 26/30] UAS: fix alignment of scatter/gather segments Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 27/30] ASoC: Intel: avoid Oops if DMA setup fails Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 28/30] i3c: Fix a shift wrap bug in i3c_bus_set_addr_slot_status() Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 29/30] locking/futex: Allow low-level atomic operations to return -EAGAIN Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 30/30] arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP Greg Kroah-Hartman
2019-05-10 10:18 ` [PATCH 5.1 00/30] 5.1.1-stable review Jon Hunter
2019-05-10 15:50 ` Greg Kroah-Hartman
2019-05-10 16:27 ` Dan Rue
2019-05-11 5:48 ` Greg Kroah-Hartman
2019-05-10 16:46 ` Guenter Roeck
2019-05-11 5:47 ` Greg Kroah-Hartman
2019-05-10 17:23 ` Vandana BN
2019-05-11 5:49 ` Greg Kroah-Hartman
2019-05-10 21:14 ` shuah
2019-05-11 5:49 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190509181255.716544204@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=YangX92@hotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).