ACK: [SRU][Trusty][CVE-2017-13220][PATCH] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
Stefan Bader
stefan.bader at canonical.com
Fri Apr 20 08:36:59 UTC 2018
On 19.04.2018 11:49, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro at zeniv.linux.org.uk>
>
> CVE-2017-13220
>
> it's OK after we'd verified the sockets, but not before that.
>
> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> net/bluetooth/hidp/core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 2495dbc25899..89e6bf91f7cc 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req,
> {
> struct hidp_session *session;
> struct l2cap_conn *conn;
> - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
> + struct l2cap_chan *chan;
> int ret;
>
> ret = hidp_verify_sockets(ctrl_sock, intr_sock);
> if (ret)
> return ret;
>
> + chan = l2cap_pi(ctrl_sock->sk)->chan;
> conn = NULL;
> l2cap_chan_lock(chan);
> if (chan->conn) {
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/fef4bef1/attachment.sig>
More information about the kernel-team
mailing list