Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1134104imm; Wed, 1 Aug 2018 10:44:58 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe+3kzbRD840PnxEohwpKaWhGVQTvbFwDl6E/R21LDPy8JHseCrAHmOsTl2PUxMxV9fzZ4d X-Received: by 2002:a62:89d8:: with SMTP id n85-v6mr27581150pfk.83.1533145498047; Wed, 01 Aug 2018 10:44:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533145498; cv=none; d=google.com; s=arc-20160816; b=FDd/7QE/mz6hRrAvBCnpfhYmkTDqGtGbw1kYpmQ5yKl5VQo2OYxEVfnLAJvinMbM2k VUQ1DATS+9ATBOfmK4W196Z3mycNkYa/pzr9ftunXizwiZkTc8X2atP52RLx+6sKq3lF rRKNLAm7vdrxoXcwDEM3FEqGTn8Uw2gB8Es0I60sFQjjukC1FbvxWjJT8zCB8+AE5+E7 PWTJj9wcyg8a2lQzUW7pjKpgfta9qAbIYLLAriQjx9IJ5Fyo1LgYGnqrimFfzNgSuN7z dbad5zmIldlPYO6mjQpNkXTqNt8XEtTHEoHyKG4r/pCTdRkUUNUwQF56SHsk2O+t4pNW jT5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=XOASA/9XAHXXXh9pEDxIkWxxgoy64xTbxCZaxlDF12o=; b=V4AxCCy3oYP3Q42wEVeSgxE0o33cFv2XsPyoED0yXY0aIZ2Hk8zO888FHczz56OdAW bsM0s+DTh/fjIxUvWP0uOSJM6V0ZGm4YpUdSkKiiozqZWZXYf5c4CVAk9PzfEfPuSGVh /QdnA6JJTcfoiW95A8D0N/qPSqs0HoZnXqHbnEfwjGu7uEMXRL/JxgRmF9Ncrtr3bVA5 5jwg8YdoglSKsocMgpVFIE30LcZ0FiI20WM3H1aic/egYKXZyiX6YhqfRgaaN6JSttfq O8xlmc0sO2Uwp9w7D6Xz1h42pux+Z0nUA+5DenbhfCTdFuXEXVvSpliFNfuHLD57mwbO uIOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z89-v6si17233655pfd.357.2018.08.01.10.44.43; Wed, 01 Aug 2018 10:44:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405193AbeHATaL (ORCPT + 99 others); Wed, 1 Aug 2018 15:30:11 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56030 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389882AbeHATaK (ORCPT ); Wed, 1 Aug 2018 15:30:10 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D047DCBA; Wed, 1 Aug 2018 17:43:21 +0000 (UTC) Date: Wed, 1 Aug 2018 19:09:26 +0200 From: Greg KH To: Mark Salyzyn Cc: linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , "David S. Miller" , Kees Cook , Benjamin Tissoires , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, stable , kernel-team@android.com, Jiri Kosina Subject: Re: [PATCH] HID: Bluetooth: hidp: buffer overflow in hidp_process_report Message-ID: <20180801170926.GA7829@kroah.com> References: <20180731220225.159741-1-salyzyn@android.com> <20180801163703.GA6994@kroah.com> <6f6c3e63-0847-b0b6-98a3-7ad62fd2697c@android.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6f6c3e63-0847-b0b6-98a3-7ad62fd2697c@android.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 01, 2018 at 09:41:04AM -0700, Mark Salyzyn wrote: > On 08/01/2018 09:37 AM, Greg KH wrote: > > On Tue, Jul 31, 2018 at 03:02:13PM -0700, Mark Salyzyn wrote: > > > CVE-2018-9363 > > > > > > The buffer length is unsigned at all layers, but gets cast to int and > > > checked in hidp_process_report and can lead to a buffer overflow. > > > Switch len parameter to unsigned int to resolve issue. > > > > > > This affects 3.18 and newer kernels. > > > > > > Signed-off-by: Mark Salyzyn > > > Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") > > > Cc: Marcel Holtmann > > > Cc: Johan Hedberg > > > Cc: "David S. Miller" > > > Cc: Kees Cook > > > Cc: Benjamin Tissoires > > > Cc: linux-bluetooth@vger.kernel.org > > > Cc: netdev@vger.kernel.org > > > Cc: linux-kernel@vger.kernel.org > > > Cc: security@kernel.org > > > Cc: kernel-team@android.com > > Nit, you only need to bother security@ if you do not have a fix and need > > to figure out one. > > Thanks, I thought anything with a CVE was to go there according to netdev > FAQ (dropped security from response list). > > Also, you forgot to cc: stable@vger.kernel.org to be included in older > > kernel releases :( > netdev FAQ said to _not_ copy stable, I am so confused ;-{ (added stable to > response list b/c patch is now taken into bluetooth-next) Ah, well, bluetooth is a bit not normal here, usually stuff that ends up in a subsystem tree before netdev needs to have a cc: stable on it for me to catch it. Hopefully the bluetooth maintainers are on it :) thanks, greg k-h