From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B43EC04AB1 for ; Thu, 9 May 2019 18:53:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 13D6A204FD for ; Thu, 9 May 2019 18:53:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557428009; bh=BaAJelODdWM6J33FqK4AT3VkKhIgqJ7Apl5XTEcEHDE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Ai+gtib6oi8w4L0iYF0k8UjPB5wOJGehuOejX+W3G5ze6Ip7p8gZRnbbI9jZKG1hY epbZzy3M9jGSamUXj5JRmqbjiu2zf8d7Ib5SXCQFfh8OUADFetHIrdoM9AfKjJFAlJ Gs0bwjnz7ELMTaZd3xjAAxeRdZicYZKHGZUrjST0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728899AbfEISx2 (ORCPT ); Thu, 9 May 2019 14:53:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:47908 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726998AbfEISxZ (ORCPT ); Thu, 9 May 2019 14:53:25 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0AF56204FD; Thu, 9 May 2019 18:53:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557428005; bh=BaAJelODdWM6J33FqK4AT3VkKhIgqJ7Apl5XTEcEHDE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qn5f8utYl1G8ACdgB+yvhGH8JL1OaaWO/Jeu+tYD3G8JgXBizqDzxP4yyROJ9FkKt 85zy2wc9CxwuTjwuOnW5LhYzAa9bQJbJx2o4yEGM8ru3uN7yK5W8xctENbyVihved8 VE7/hFDyVcPh88txfOXv03Ml7xxULC6mcUF6ahx4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Young Xiao , Marcel Holtmann Subject: [PATCH 5.0 87/95] Bluetooth: hidp: fix buffer overflow Date: Thu, 9 May 2019 20:42:44 +0200 Message-Id: <20190509181315.339240186@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190509181309.180685671@linuxfoundation.org> References: <20190509181309.180685671@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Young Xiao commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hidp/sock.c | 1 + 1 file changed, 1 insertion(+) --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct soc sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))