Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1183859yba;
        Thu, 9 May 2019 12:08:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy0sfnfxwx8SVIENMw9L3SZk+iQGGsAef9gDVXEnti/ZOnw//nJNbaOJ2rF3K/S8HrX3xnn
X-Received: by 2002:a63:2cc9:: with SMTP id s192mr8007165pgs.24.1557428915285;
        Thu, 09 May 2019 12:08:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557428915; cv=none;
        d=google.com; s=arc-20160816;
        b=y0c3ZgnP6O9aU3fuB9t9MN96lnEirKmAphyAKn8c8TWPqTnk42Vsq0PH39Qcn6lZCw
         fQgKn8KOyhzVNfn4ueYahQ2AcvIiq6owwi8k9FV6+8Dq6vMiwbFxgk+sVfccnQE4ygXR
         cFd8Go48bv+y8UuVqCyIVZYhLXi4E2gm5G0C8apOSL1fQIFJUwCdCFzSiIKC2FVBmQJ0
         wvVXy9KHm0CF9QZtKNfteRxLG4LL8h5yPFwq//AYjTMWAB3XLzpEoVL9MGNuxeT81edf
         mzTY9B7FkS2Hig0zaLBpjuJ/10yigyYMflGXTzaBsHsQsNGjv3uCCh2gxLJvzNCc2mcl
         jwXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9+iVYbZLapwvXG2CZ7iEEeJOuVjjKykcyH2/21sbcOE=;
        b=sq8OZEY3cChmQrj+pB7Lf1FMWlx+HBF0rharM2pZDtlOThIFxSzwgoYaLTvCF8Y/TC
         bwAzXReE8t9RHLkjTOtj6wcwXmHZj/a17HwCqpnukNCX2hFM4DpgHR0TvGGf0jAThxNL
         3zWD2oCN1dK5gYLaInxD4Cvurlxl5THrVFjOP630rVV00ss6bxo7d7eNpP0Cymu59gkb
         Wyep8T4lj5lreFrsUZ1+S5JY7Zl5gMko+XLYzBi2ULCdV9V3Ci3HGlze8Bxi8HYijCdL
         nVFxW0kUDat5XbNe8IEWDgRPiqwV3NsiIlYQrckr2Auyco7NO84rQ81FTizoBTgzb+8e
         Z8vA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=EOWtoGmz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q3si4614582pgg.407.2019.05.09.12.08.18;
        Thu, 09 May 2019 12:08:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=EOWtoGmz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727608AbfEITGU (ORCPT <rfc822;israelpgz17@gmail.com>
        + 99 others); Thu, 9 May 2019 15:06:20 -0400
Received: from mail.kernel.org ([198.145.29.99]:39376 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727248AbfEISq4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 May 2019 14:46:56 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 5670F2183E;
        Thu,  9 May 2019 18:46:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1557427615;
        bh=m5v/VQDEu53kIn8smOqM7gN/gtLhfkr4W9EBM+BYU1s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=EOWtoGmz9WhE0xqlHXRHkJz7Xvsc9VGQngE2Y19CMpe2NtmJSTW3AQHb10af5wCjr
         JHZ0vvCXWlRJd1KAu8rC8p+siCtQUD5t8FB148NeFN6SDxmWUp6cNvKt3QFxKlTXCd
         BufKwLPFPFg0GMSuEYfH6LSG4ASRVwBFvg67lHcg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Young Xiao <YangX92@hotmail.com>,
        Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 4.14 37/42] Bluetooth: hidp: fix buffer overflow
Date:   Thu,  9 May 2019 20:42:26 +0200
Message-Id: <20190509181259.896495485@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190509181252.616018683@linuxfoundation.org>
References: <20190509181252.616018683@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Young Xiao <YangX92@hotmail.com>

commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.

Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/hidp/sock.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket
 			sockfd_put(csock);
 			return err;
 		}
+		ca.name[sizeof(ca.name)-1] = 0;
 
 		err = hidp_connection_add(&ca, csock, isock);
 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))