Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp506667yba;
        Wed, 15 May 2019 05:19:53 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz0QnSbtHEPYBkaQj7FVSNbzjcgHU7wfZ48vy9F7m8tNJN6lD573ZVEgo2WfQxPog2pQHth
X-Received: by 2002:a62:65c1:: with SMTP id z184mr27438570pfb.130.1557922793681;
        Wed, 15 May 2019 05:19:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557922793; cv=none;
        d=google.com; s=arc-20160816;
        b=ejyABBPyjtp6u0g+piZx1w2LAHaWTa3yclm5F5/eVmfCdJu5rct3ALpDIYEgUYsvrE
         uHxG8ohFBogARxixRXI0hecPH0w0vu8jwSAflB8iaHKGrRe2kTvaDmgnCB+J+VVrC05m
         h+LsmiFxkesbMN4VO6cpc2VAeD3jBB4V2X3luf5DdGJQTw5Z9CLZtZxSBTPaO+3//1aw
         W42EpkmHiJ1zVLFw+zQzh6FAf0XIptRY3bzNh47+4RMubuLenmE6BYbn+rt5BJvJr9Qy
         LPQY4Dnqbj59CQ+xFWXzXs40wvgZ6Repys6rzcw8vTAd5p1yr/cDrehJ1R7NOTyno8p+
         2PSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9+iVYbZLapwvXG2CZ7iEEeJOuVjjKykcyH2/21sbcOE=;
        b=aW20Bmo8vdUxtsyydLdCLFvod2jq5SRuYBzY3ULgq6OJANcHdXE7YAnd8MAHXrSbdr
         kcY/HVn8hLIPfKg5ZrN5tNUIRtRr5uTurlIp1bHTDWrYsJK5/mGy0yIIVdJHGrV4ftpt
         uvqul62xSI//GF6IuTr9EdpSuGSOIWHqz9mqmjYtKH0eUWrtL71OPaFmO7WTpIlKPl21
         r6y/8tdJKmZca+FOeMAm/swyC9yDcv0+wbjKkRE9S2NViG9v9HGFt07thpRKy3Ukp6mI
         eD7EMoOvsmj6plZ3HxPhSDBrmp2f9qLuibMhJePiU1Yn0W9W9SaDjgFyDFph6uImtcj2
         jmyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="mu8hAB/W";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b70si1898476pfj.166.2019.05.15.05.19.37;
        Wed, 15 May 2019 05:19:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="mu8hAB/W";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727369AbfEOMSR (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 15 May 2019 08:18:17 -0400
Received: from mail.kernel.org ([198.145.29.99]:58486 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726290AbfEOLB1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 May 2019 07:01:27 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 868D420881;
        Wed, 15 May 2019 11:01:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1557918087;
        bh=m5v/VQDEu53kIn8smOqM7gN/gtLhfkr4W9EBM+BYU1s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mu8hAB/WV9M7Cm3BvXYGy9lKQGBO9w3d6duY62z6aIszRmG5HWUpBv73/U+xjE86Z
         U0ADae159oOxhJ0DCVzjzy/C2U/n9wVK5qKJUV0wsqSqF5J4jDHbBpfObvEYByQhDG
         2Rswdf7vQ7Msp9yEgPaf+eH2kBMjRUP+1C+GN8dQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Young Xiao <YangX92@hotmail.com>,
        Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 3.18 60/86] Bluetooth: hidp: fix buffer overflow
Date:   Wed, 15 May 2019 12:55:37 +0200
Message-Id: <20190515090654.266276064@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190515090642.339346723@linuxfoundation.org>
References: <20190515090642.339346723@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Young Xiao <YangX92@hotmail.com>

commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.

Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/hidp/sock.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket
 			sockfd_put(csock);
 			return err;
 		}
+		ca.name[sizeof(ca.name)-1] = 0;
 
 		err = hidp_connection_add(&ca, csock, isock);
 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))