ACK: [SRU][B/C/D][PATCH] Bluetooth: hidp: fix buffer overflow

Colin Ian King colin.king at canonical.com
Mon Jun 10 08:08:59 UTC 2019


On 07/06/2019 23:16, Connor Kuehl wrote:
> From: Young Xiao <YangX92 at hotmail.com>
> 
> CVE-2019-11884
> 
> Struct ca is copied from userspace. It is not checked whether the "name"
> field is NULL terminated, which allows local users to obtain potentially
> sensitive information from kernel stack memory, via a HIDPCONNADD command.
> 
> This vulnerability is similar to CVE-2011-1079.
> 
> Signed-off-by: Young Xiao <YangX92 at hotmail.com>
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> Cc: stable at vger.kernel.org
> (cherry picked from commit a1616a5ac99ede5d605047a9012481ce7ff18b16)
> Signed-off-by: Connor Kuehl <connor.kuehl at canonical.com>
> ---
>  net/bluetooth/hidp/sock.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
> index 9f85a1943be9..2151913892ce 100644
> --- a/net/bluetooth/hidp/sock.c
> +++ b/net/bluetooth/hidp/sock.c
> @@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
>  			sockfd_put(csock);
>  			return err;
>  		}
> +		ca.name[sizeof(ca.name)-1] = 0;
>  
>  		err = hidp_connection_add(&ca, csock, isock);
>  		if (!err && copy_to_user(argp, &ca, sizeof(ca)))
> 
Acked-by: Colin Ian King <colin.king at canonical.com>



More information about the kernel-team mailing list