projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 9fe8a919 GKH |
1 | From a1616a5ac99ede5d605047a9012481ce7ff18b16 Mon Sep 17 00:00:00 2001 |
| 2 | From: Young Xiao <YangX92@hotmail.com> | |
| 3 | Date: Fri, 12 Apr 2019 15:24:30 +0800 | |
| 4 | Subject: Bluetooth: hidp: fix buffer overflow | |
| 5 | ||
| 6 | From: Young Xiao <YangX92@hotmail.com> | |
| 7 | ||
| 8 | commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. | |
| 9 | ||
| 10 | Struct ca is copied from userspace. It is not checked whether the "name" | |
| 11 | field is NULL terminated, which allows local users to obtain potentially | |
| 12 | sensitive information from kernel stack memory, via a HIDPCONNADD command. | |
| 13 | ||
| 14 | This vulnerability is similar to CVE-2011-1079. | |
| 15 | ||
| 16 | Signed-off-by: Young Xiao <YangX92@hotmail.com> | |
| 17 | Signed-off-by: Marcel Holtmann <marcel@holtmann.org> | |
| 18 | Cc: stable@vger.kernel.org | |
| 19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 20 | ||
| 21 | --- | |
| 22 | net/bluetooth/hidp/sock.c | 1 + | |
| 23 | 1 file changed, 1 insertion(+) | |
| 24 | ||
| 25 | --- a/net/bluetooth/hidp/sock.c | |
| 26 | +++ b/net/bluetooth/hidp/sock.c | |
| 27 | @@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket | |
| 28 | sockfd_put(csock); | |
| 29 | return err; | |
| 30 | } | |
| 31 | + ca.name[sizeof(ca.name)-1] = 0; | |
| 32 | ||
| 33 | err = hidp_connection_add(&ca, csock, isock); | |
| 34 | if (!err && copy_to_user(argp, &ca, sizeof(ca))) |