| Message ID | 20180419094945.18740-1-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Trusty,CVE-2017-13220] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() | expand |
On 04/19/2018 11:49 AM, Kleber Sacilotto de Souza wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > CVE-2017-13220 > > it's OK after we'd verified the sockets, but not before that. > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Looks simple enough. Signed-off-by: Juerg Haefliger <juergh@canonical.com> > --- > net/bluetooth/hidp/core.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 2495dbc25899..89e6bf91f7cc 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req, > { > struct hidp_session *session; > struct l2cap_conn *conn; > - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; > + struct l2cap_chan *chan; > int ret; > > ret = hidp_verify_sockets(ctrl_sock, intr_sock); > if (ret) > return ret; > > + chan = l2cap_pi(ctrl_sock->sk)->chan; > conn = NULL; > l2cap_chan_lock(chan); > if (chan->conn) { >
On 19.04.2018 11:49, Kleber Sacilotto de Souza wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > CVE-2017-13220 > > it's OK after we'd verified the sockets, but not before that. > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/bluetooth/hidp/core.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 2495dbc25899..89e6bf91f7cc 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req, > { > struct hidp_session *session; > struct l2cap_conn *conn; > - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; > + struct l2cap_chan *chan; > int ret; > > ret = hidp_verify_sockets(ctrl_sock, intr_sock); > if (ret) > return ret; > > + chan = l2cap_pi(ctrl_sock->sk)->chan; > conn = NULL; > l2cap_chan_lock(chan); > if (chan->conn) { >
On 19.04.2018 11:49, Kleber Sacilotto de Souza wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > CVE-2017-13220 > > it's OK after we'd verified the sockets, but not before that. > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > (backported from commit 51bda2bca53b265715ca1852528f38dc67429d9a) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- Applied to trusty/master-next > net/bluetooth/hidp/core.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 2495dbc25899..89e6bf91f7cc 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req, > { > struct hidp_session *session; > struct l2cap_conn *conn; > - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; > + struct l2cap_chan *chan; > int ret; > > ret = hidp_verify_sockets(ctrl_sock, intr_sock); > if (ret) > return ret; > > + chan = l2cap_pi(ctrl_sock->sk)->chan; > conn = NULL; > l2cap_chan_lock(chan); > if (chan->conn) { >
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 2495dbc25899..89e6bf91f7cc 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -1435,13 +1435,14 @@ int hidp_connection_add(struct hidp_connadd_req *req, { struct hidp_session *session; struct l2cap_conn *conn; - struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; + struct l2cap_chan *chan; int ret; ret = hidp_verify_sockets(ctrl_sock, intr_sock); if (ret) return ret; + chan = l2cap_pi(ctrl_sock->sk)->chan; conn = NULL; l2cap_chan_lock(chan); if (chan->conn) {