All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: hidp: fix buffer overflow
@ 2019-04-12  7:24 Young Xiao
  2019-04-23 17:04 ` Marcel Holtmann
  0 siblings, 1 reply; 2+ messages in thread
From: Young Xiao @ 2019-04-12  7:24 UTC (permalink / raw)
  To: marcel, johan.hedberg, davem, viro, linux-bluetooth, netdev,
	linux-kernel
  Cc: Young Xiao

From: Young Xiao <YangX92@hotmail.com>

Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
---
 net/bluetooth/hidp/sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 9f85a19..2151913 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
 			sockfd_put(csock);
 			return err;
 		}
+		ca.name[sizeof(ca.name)-1] = 0;
 
 		err = hidp_connection_add(&ca, csock, isock);
 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] Bluetooth: hidp: fix buffer overflow
  2019-04-12  7:24 [PATCH] Bluetooth: hidp: fix buffer overflow Young Xiao
@ 2019-04-23 17:04 ` Marcel Holtmann
  0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2019-04-23 17:04 UTC (permalink / raw)
  To: Young Xiao
  Cc: Johan Hedberg, David S. Miller, viro, linux-bluetooth, netdev,
	linux-kernel, Young Xiao

Hi Young,


> Struct ca is copied from userspace. It is not checked whether the "name"
> field is NULL terminated, which allows local users to obtain potentially
> sensitive information from kernel stack memory, via a HIDPCONNADD command.
> 
> This vulnerability is similar to CVE-2011-1079.
> 
> Signed-off-by: Young Xiao <YangX92@hotmail.com>
> ---
> net/bluetooth/hidp/sock.c | 1 +
> 1 file changed, 1 insertion(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-23 17:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-12  7:24 [PATCH] Bluetooth: hidp: fix buffer overflow Young Xiao
2019-04-23 17:04 ` Marcel Holtmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.