ACK: [SRU][Trusty][CVE-2017-13220][PATCH] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
Juerg Haefliger
juerg.haefliger at canonical.com
Fri Apr 20 06:02:56 UTC 2018
On 04/19/2018 11:49 AM, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro at zeniv.linux.org.uk>
>
> CVE-2017-13220
>
> it's OK after we'd verified the sockets, but not before that.
>
> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Looks simple enough.
Signed-off-by: Juerg Haefliger <juergh at canonical.com>
> ---
> net/bluetooth/hidp/core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 2495dbc25899..89e6bf91f7cc 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req,
> {
> struct hidp_session *session;
> struct l2cap_conn *conn;
> - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
> + struct l2cap_chan *chan;
> int ret;
>
> ret = hidp_verify_sockets(ctrl_sock, intr_sock);
> if (ret)
> return ret;
>
> + chan = l2cap_pi(ctrl_sock->sk)->chan;
> conn = NULL;
> l2cap_chan_lock(chan);
> if (chan->conn) {
>
More information about the kernel-team
mailing list