mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 22:02:02 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/bluetooth
History
Mark Salyzyn 6e2c702e79 Bluetooth: hidp: buffer overflow in hidp_process_report 
commit 7992c18810 upstream.

CVE-2018-9363

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

This affects 3.18 and newer kernels.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: a4b1b5877b ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-17 21:01:11 +02:00
..
bnep Bluetooth: bnep: fix possible might sleep error in bnep_session 2017-06-27 19:32:11 +02:00
cmtp Bluetooth: cmtp: fix possible might sleep error in cmtp_session 2017-06-27 19:32:11 +02:00
hidp Bluetooth: hidp: buffer overflow in hidp_process_report 2018-08-17 21:01:11 +02:00
rfcomm Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2017-07-01 15:57:29 -07:00
6lowpan.c 6lowpan: fix set not used warning 2017-07-25 12:31:37 -07:00
a2mp.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
a2mp.h Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
af_bluetooth.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
amp.c Bluetooth: fix assignments on error variable err 2017-04-12 22:02:38 +02:00
amp.h Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
ecdh_helper.c Bluetooth: Delete error messages for failed memory allocations in two functions 2017-05-22 10:23:41 +02:00
ecdh_helper.h Bluetooth: convert smp and selftest to crypto kpp API 2017-04-25 04:53:42 +02:00
hci_conn.c Bluetooth: Fix connection if directed advertising and privacy is used 2018-04-19 08:56:19 +02:00
hci_core.c bluetooth: remove WQ_MEM_RECLAIM from hci workqueues 2017-06-29 14:36:38 +02:00
hci_debugfs.c Bluetooth: Add debugfs fields for hardware and firmware info 2016-07-18 09:33:28 +03:00
hci_debugfs.h Bluetooth: Provide option to enable/disable debugfs information 2015-02-15 18:54:13 +02:00
hci_event.c Bluetooth: Fix connection if directed advertising and privacy is used 2018-04-19 08:56:19 +02:00
hci_request.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
hci_request.h Bluetooth: Fix append max 11 bytes of name to scan rsp data 2016-10-19 18:42:37 +02:00
hci_sock.c Revert "Bluetooth: Add option for disabling legacy ioctl interfaces" 2017-09-28 13:20:32 -07:00
hci_sysfs.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig Revert "Bluetooth: Add option for disabling legacy ioctl interfaces" 2017-09-28 13:20:32 -07:00
l2cap_core.c Bluetooth: Fix connection if directed advertising and privacy is used 2018-04-19 08:56:19 +02:00
l2cap_sock.c Bluetooth: Add sockaddr length checks before accessing sa_family in bind and connect handlers 2017-06-29 14:37:57 +02:00
leds.c Bluetooth: Add combined LED trigger for controller power 2016-09-19 20:19:34 +02:00
leds.h Bluetooth: Add combined LED trigger for controller power 2016-09-19 20:19:34 +02:00
lib.c Bluetooth: make baswap src const 2017-09-01 22:49:47 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mgmt.c Bluetooth: Fix append max 11 bytes of name to scan rsp data 2016-10-19 18:42:37 +02:00
mgmt_util.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
mgmt_util.h Bluetooth: Add generic mgmt helper API 2015-03-17 18:03:08 +01:00
sco.c Bluetooth: Add sockaddr length checks before accessing sa_family in bind and connect handlers 2017-06-29 14:37:57 +02:00
selftest.c Bluetooth: kfree tmp rather than an alias to it 2017-08-11 21:19:46 +02:00
selftest.h Bluetooth: Add support for self testing framework 2014-12-30 08:53:55 +02:00
smp.c Bluetooth: Fix missing encryption refresh on Security Request 2018-04-08 14:26:30 +02:00
smp.h Bluetooth: SMP: Add support for H7 crypto function and CT2 auth flag 2016-12-08 07:50:24 +01:00