• Mark Salyzyn's avatar
    Bluetooth: hidp: buffer overflow in hidp_process_report · 7992c188
    Mark Salyzyn authored
    CVE-2018-9363
    
    The buffer length is unsigned at all layers, but gets cast to int and
    checked in hidp_process_report and can lead to a buffer overflow.
    Switch len parameter to unsigned int to resolve issue.
    
    This affects 3.18 and newer kernels.
    Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
    Fixes: a4b1b587 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
    Cc: Marcel Holtmann <marcel@holtmann.org>
    Cc: Johan Hedberg <johan.hedberg@gmail.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Cc: linux-bluetooth@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Cc: security@kernel.org
    Cc: kernel-team@android.com
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    7992c188
core.c 38.7 KB