ACK: [SRU][B/C/D][PATCH] Bluetooth: hidp: fix buffer overflow
Colin Ian King
colin.king at canonical.com
Mon Jun 10 08:08:59 UTC 2019
On 07/06/2019 23:16, Connor Kuehl wrote:
> From: Young Xiao <YangX92 at hotmail.com>
>
> CVE-2019-11884
>
> Struct ca is copied from userspace. It is not checked whether the "name"
> field is NULL terminated, which allows local users to obtain potentially
> sensitive information from kernel stack memory, via a HIDPCONNADD command.
>
> This vulnerability is similar to CVE-2011-1079.
>
> Signed-off-by: Young Xiao <YangX92 at hotmail.com>
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> Cc: stable at vger.kernel.org
> (cherry picked from commit a1616a5ac99ede5d605047a9012481ce7ff18b16)
> Signed-off-by: Connor Kuehl <connor.kuehl at canonical.com>
> ---
> net/bluetooth/hidp/sock.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
> index 9f85a1943be9..2151913892ce 100644
> --- a/net/bluetooth/hidp/sock.c
> +++ b/net/bluetooth/hidp/sock.c
> @@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
> sockfd_put(csock);
> return err;
> }
> + ca.name[sizeof(ca.name)-1] = 0;
>
> err = hidp_connection_add(&ca, csock, isock);
> if (!err && copy_to_user(argp, &ca, sizeof(ca)))
>
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list