From patchwork Fri Oct 12 12:46:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 983044 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42WnfG3RTkz9sB5; Fri, 12 Oct 2018 23:47:02 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gAwqF-0008Ji-5s; Fri, 12 Oct 2018 12:46:55 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gAwqC-0008JP-Ph for kernel-team@lists.ubuntu.com; Fri, 12 Oct 2018 12:46:52 +0000 Received: from mail-wm1-f69.google.com ([209.85.128.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gAwqC-0001yX-IK for kernel-team@lists.ubuntu.com; Fri, 12 Oct 2018 12:46:52 +0000 Received: by mail-wm1-f69.google.com with SMTP id g8-v6so6076766wmg.2 for ; Fri, 12 Oct 2018 05:46:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=G4zNOl61BTYyUKywyKtJWkmm8audlN1V++GMqU9cbrs=; b=BuRKNR+D+5HbJZ726KHhDbp+86JA/HkpKdezKaLJZoRkQvWAMhVKaH9smlnu9suewJ pCDTSytMECJhcQ/oGTLGCb7mQMk3efIkdyokroIKRjvCO2yGzvhYpH+t37ncdaSRovWw qHS05VQ12LZl6Wy5iYwl8RoYplKCHZpdGE8dA7QIGwhxuHuHUUYuhSy0IKrHD3lfuppF oTmFvWHiIvigbN6BBqOnonnK8AXT8nSsQhcYyOPw8std4GyCzd3wdW76jsNbzF6fP6FP qhOMF8DIpAKhlNzQT+1q0iJjqnQVe0B0qQ595YBce8R9q25L5zP2tt849oSeWQuWU39m i+gg== X-Gm-Message-State: ABuFfoj3n+ln7UZiqDYu14T14qISST9s1ydsGtYsaO7DgXRBgWO+wy5G 9Xxq9evnf+L8F7B4l770ybyq91SwyM5xuN6P833+70dcuf2fR8wWOQ0xWbWiJc8kVXAU6MGGfUn n3E01mqGxTBiuIIUp/BjWgwP/k2wNdrF5Waj14Rg2cw== X-Received: by 2002:adf:8909:: with SMTP id s9-v6mr5251029wrs.309.1539348411905; Fri, 12 Oct 2018 05:46:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV61HTGXOhJsUn8I00bVlmmiWUxH4NHuJoygEwPReMFTYRFTlXtTot9WhTKgj0Htna1xmyiZXNQ== X-Received: by 2002:adf:8909:: with SMTP id s9-v6mr5251004wrs.309.1539348411614; Fri, 12 Oct 2018 05:46:51 -0700 (PDT) Received: from localhost ([212.121.131.210]) by smtp.gmail.com with ESMTPSA id u10-v6sm1200801wrt.59.2018.10.12.05.46.50 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 12 Oct 2018 05:46:50 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][Bionic][PATCH 1/1] Bluetooth: hidp: buffer overflow in hidp_process_report Date: Fri, 12 Oct 2018 14:46:47 +0200 Message-Id: <20181012124647.12314-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181012124647.12314-1-kleber.souza@canonical.com> References: <20181012124647.12314-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mark Salyzyn CVE-2018-9363 The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. This affects 3.18 and newer kernels. Signed-off-by: Mark Salyzyn Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Cc: Marcel Holtmann Cc: Johan Hedberg Cc: "David S. Miller" Cc: Kees Cook Cc: Benjamin Tissoires Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: security@kernel.org Cc: kernel-team@android.com Acked-by: Kees Cook Signed-off-by: Marcel Holtmann (cherry picked from commit 7992c18810e568b95c869b227137a2215702a805) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader Acked-by: Colin Ian King --- net/bluetooth/hidp/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index f2cec70d520c..c3b23ab2b723 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) del_timer(&session->timer); } -static void hidp_process_report(struct hidp_session *session, - int type, const u8 *data, int len, int intr) +static void hidp_process_report(struct hidp_session *session, int type, + const u8 *data, unsigned int len, int intr) { if (len > HID_MAX_BUFFER_SIZE) len = HID_MAX_BUFFER_SIZE;