Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1173762yba; Thu, 9 May 2019 11:59:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqwoU0nu6uZEXWS6Dum7YzXjuNG/Rog3RGO+Im92Z9VsrTYBu7jyTYEv9zVi70eK+8W4Tjf8 X-Received: by 2002:a17:902:b20f:: with SMTP id t15mr7464565plr.341.1557428391270; Thu, 09 May 2019 11:59:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557428391; cv=none; d=google.com; s=arc-20160816; b=hdzJQRlv0Rg/a8I1+Rd+e6moWJ5khcYTCAOfsqbkmC97zOAFMywTRjhmuSAVZRLTss FMfLdARSSITJ5BzlKFsbDdba5pSf4Tfuw70SmQuF/G6m/JhRvC4K2JDVo38a4oYiS0il IKX3e7nCmaRo9wVK8rrTJeppgkHv9QneBj8T3rGJ2I5/KTHMXmbe+9sVwvkNThXko+ev IQDdJF3GAfSWqurbt+hSHU4lN2BG9ap0yRBMG+s7/b0fDceeU5VSsgDbZvDLhmZ8N1Qi fcb88BKL3D/wrzHN2zjNTJ5xjB+z/Rbmh0CEaFxbD0DKHMnMaUhA3CKSde38a441I4Hn AsbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hBvm9+/sT0YeGYXvTXsds1Iz/t49RBkH/8QgdKR/wHE=; b=f1hqKBpyLdVATUkwU2J50B0PfSLz8xSWgYcW2N985fAWwtz0s3nil+bq0sFL6S7SRM JXW7/sm1ZVsxq2dTwUcwRzn0t7gNGWc2aAgun6Bq8m95vZP0ZWtZD9zCh4f7fYBWbqVN xYiiShXvKI7/zBMGyT11ex66mvcgXwqliUdpbwYuuc46ssIDC+Dg8BZGl3mSEHdjwmIY LipTTVQNP4Vy44LOgWZdcPC/6dT8OmPMDUk7XWdj97hbYDyewub6KTHTHfrNi6lbEoTZ xsv376g8fzCp8Zf4jLmEIazKfPoABlLdJt0tauhaZmGoXOxuQ9rHstYS21YqbKyGKEpA +VJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qn5f8utY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i96si4134953plb.331.2019.05.09.11.59.34; Thu, 09 May 2019 11:59:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qn5f8utY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728894AbfEISx1 (ORCPT + 99 others); Thu, 9 May 2019 14:53:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:47908 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726998AbfEISxZ (ORCPT ); Thu, 9 May 2019 14:53:25 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0AF56204FD; Thu, 9 May 2019 18:53:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557428005; bh=BaAJelODdWM6J33FqK4AT3VkKhIgqJ7Apl5XTEcEHDE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qn5f8utYl1G8ACdgB+yvhGH8JL1OaaWO/Jeu+tYD3G8JgXBizqDzxP4yyROJ9FkKt 85zy2wc9CxwuTjwuOnW5LhYzAa9bQJbJx2o4yEGM8ru3uN7yK5W8xctENbyVihved8 VE7/hFDyVcPh88txfOXv03Ml7xxULC6mcUF6ahx4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Young Xiao , Marcel Holtmann Subject: [PATCH 5.0 87/95] Bluetooth: hidp: fix buffer overflow Date: Thu, 9 May 2019 20:42:44 +0200 Message-Id: <20190509181315.339240186@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190509181309.180685671@linuxfoundation.org> References: <20190509181309.180685671@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Young Xiao commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hidp/sock.c | 1 + 1 file changed, 1 insertion(+) --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct soc sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))