mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-09 01:59:41 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/bluetooth/hidp
History
Mark Salyzyn 6e2c702e79 Bluetooth: hidp: buffer overflow in hidp_process_report 
commit 7992c18810 upstream.

CVE-2018-9363

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

This affects 3.18 and newer kernels.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: a4b1b5877b ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-17 21:01:11 +02:00
..
core.c Bluetooth: hidp: buffer overflow in hidp_process_report 2018-08-17 21:01:11 +02:00
hidp.h HID: Bluetooth: hidp: make sure input buffers are big enough 2014-02-17 21:17:55 +01:00
Kconfig Bluetooth: Introduce BT_BREDR and BT_LE config options 2014-11-02 10:01:53 +02:00
Makefile
sock.c net: Pass kern from net_proto_family.create to sk_alloc 2015-05-11 10:50:17 -04:00