APPLIED: [SRU][Trusty][CVE-2017-13220][PATCH] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()

Stefan Bader stefan.bader at canonical.com
Fri Apr 20 12:03:30 UTC 2018


On 19.04.2018 11:49, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro at zeniv.linux.org.uk>
> 
> CVE-2017-13220
> 
> it's OK after we'd verified the sockets, but not before that.
> 
> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---

Applied to trusty/master-next

>  net/bluetooth/hidp/core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 2495dbc25899..89e6bf91f7cc 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req,
>  {
>  	struct hidp_session *session;
>  	struct l2cap_conn *conn;
> -	struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
> +	struct l2cap_chan *chan;
>  	int ret;
>  
>  	ret = hidp_verify_sockets(ctrl_sock, intr_sock);
>  	if (ret)
>  		return ret;
>  
> +	chan = l2cap_pi(ctrl_sock->sk)->chan;
>  	conn = NULL;
>  	l2cap_chan_lock(chan);
>  	if (chan->conn) {
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/174177c5/attachment.sig>


More information about the kernel-team mailing list