Commit 3b44df14 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso

Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)

parent 8910626b
......@@ -18,6 +18,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
(CVE-2019-9503)
* ext4: zero out the unused memory region in the extent tree block
(CVE-2019-11833)
* Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
......
From: Young Xiao <YangX92@hotmail.com>
Date: Fri, 12 Apr 2019 15:24:30 +0800
Subject: Bluetooth: hidp: fix buffer overflow
Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.
This vulnerability is similar to CVE-2011-1079.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
---
net/bluetooth/hidp/sock.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 9f85a1943be9..2151913892ce 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
sockfd_put(csock);
return err;
}
+ ca.name[sizeof(ca.name)-1] = 0;
err = hidp_connection_add(&ca, csock, isock);
if (!err && copy_to_user(argp, &ca, sizeof(ca)))
--
2.20.1
......@@ -215,6 +215,7 @@ bugfix/all/spec/powerpc-64s-include-cpu-header.patch
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment