From patchwork Fri Oct 12 12:46:47 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 983044
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42WnfG3RTkz9sB5;
	Fri, 12 Oct 2018 23:47:02 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gAwqF-0008Ji-5s; Fri, 12 Oct 2018 12:46:55 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1gAwqC-0008JP-Ph
	for kernel-team@lists.ubuntu.com; Fri, 12 Oct 2018 12:46:52 +0000
Received: from mail-wm1-f69.google.com ([209.85.128.69])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1gAwqC-0001yX-IK
	for kernel-team@lists.ubuntu.com; Fri, 12 Oct 2018 12:46:52 +0000
Received: by mail-wm1-f69.google.com with SMTP id g8-v6so6076766wmg.2
	for <kernel-team@lists.ubuntu.com>;
	Fri, 12 Oct 2018 05:46:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=G4zNOl61BTYyUKywyKtJWkmm8audlN1V++GMqU9cbrs=;
	b=BuRKNR+D+5HbJZ726KHhDbp+86JA/HkpKdezKaLJZoRkQvWAMhVKaH9smlnu9suewJ
	pCDTSytMECJhcQ/oGTLGCb7mQMk3efIkdyokroIKRjvCO2yGzvhYpH+t37ncdaSRovWw
	qHS05VQ12LZl6Wy5iYwl8RoYplKCHZpdGE8dA7QIGwhxuHuHUUYuhSy0IKrHD3lfuppF
	oTmFvWHiIvigbN6BBqOnonnK8AXT8nSsQhcYyOPw8std4GyCzd3wdW76jsNbzF6fP6FP
	qhOMF8DIpAKhlNzQT+1q0iJjqnQVe0B0qQ595YBce8R9q25L5zP2tt849oSeWQuWU39m
	i+gg==
X-Gm-Message-State: ABuFfoj3n+ln7UZiqDYu14T14qISST9s1ydsGtYsaO7DgXRBgWO+wy5G
	9Xxq9evnf+L8F7B4l770ybyq91SwyM5xuN6P833+70dcuf2fR8wWOQ0xWbWiJc8kVXAU6MGGfUn
	n3E01mqGxTBiuIIUp/BjWgwP/k2wNdrF5Waj14Rg2cw==
X-Received: by 2002:adf:8909:: with SMTP id
	s9-v6mr5251029wrs.309.1539348411905;
	Fri, 12 Oct 2018 05:46:51 -0700 (PDT)
X-Google-Smtp-Source: 
 ACcGV61HTGXOhJsUn8I00bVlmmiWUxH4NHuJoygEwPReMFTYRFTlXtTot9WhTKgj0Htna1xmyiZXNQ==
X-Received: by 2002:adf:8909:: with SMTP id
	s9-v6mr5251004wrs.309.1539348411614;
	Fri, 12 Oct 2018 05:46:51 -0700 (PDT)
Received: from localhost ([212.121.131.210])
	by smtp.gmail.com with ESMTPSA id
	u10-v6sm1200801wrt.59.2018.10.12.05.46.50
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 12 Oct 2018 05:46:50 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][Bionic][PATCH 1/1] Bluetooth: hidp: buffer overflow in
	hidp_process_report
Date: Fri, 12 Oct 2018 14:46:47 +0200
Message-Id: <20181012124647.12314-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181012124647.12314-1-kleber.souza@canonical.com>
References: <20181012124647.12314-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Mark Salyzyn <salyzyn@android.com>

CVE-2018-9363

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

This affects 3.18 and newer kernels.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

(cherry picked from commit 7992c18810e568b95c869b227137a2215702a805)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 net/bluetooth/hidp/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index f2cec70d520c..c3b23ab2b723 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
 		del_timer(&session->timer);
 }
 
-static void hidp_process_report(struct hidp_session *session,
-				int type, const u8 *data, int len, int intr)
+static void hidp_process_report(struct hidp_session *session, int type,
+				const u8 *data, unsigned int len, int intr)
 {
 	if (len > HID_MAX_BUFFER_SIZE)
 		len = HID_MAX_BUFFER_SIZE;