From patchwork Wed May 1 22:15:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1930360 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVBGy3w6pz1ymc for ; Thu, 2 May 2024 08:16:10 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s2IF7-0006xl-W3; Wed, 01 May 2024 22:16:02 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s2IF6-0006vr-9o for kernel-team@lists.ubuntu.com; Wed, 01 May 2024 22:16:00 +0000 Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 06CD73F2D0 for ; Wed, 1 May 2024 22:16:00 +0000 (UTC) Received: by mail-io1-f70.google.com with SMTP id ca18e2360f4ac-7da52a99cbdso672210239f.1 for ; Wed, 01 May 2024 15:15:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714601758; x=1715206558; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fij+Gd60prBLnWdFlPgYyjjMMjJLMhE9eQZpJ2EvSp0=; b=He9hC/FmK1Q9ONwuWcrbihtBNXKbmvXMXaLF7Mc6NyeR3X6GstJoe097AYLDvqXdcI ko0TUnFB2Kcqy0oqIi+nbabiPvM+m4EnFpF45FKO2bkfdMjHFQ6RFS80J4dnvyMZsy4R 6Y6VMi5SjgBMGwbYR8hNEdTo8Jl595DJMZjrE+P8F1H91mU0rY9QN8HFZQ4s6uHuTh0e 40WuxG8Lv3pZf3xVu0vxJxwZPQi4h1i5dpJch4KPYzoEmNdu8vdfmbURd6/MHxX0lJxv 9hbkVvf4cid9y1RgbjvfROWhbJgtU3ZlSu89OLc+0LN2cWkvpCAyYoEo+eEQcCnlkTBm mDCw== X-Gm-Message-State: AOJu0YyQhtVESFOWdDYOtTFx4wWbV2uryovbWMLYCGzZDsEa3pvrg4VV yDMKD6+eiWSsbnvOHRF5WF/k16NN1/TUaEDcjx2i5aOFW8fSeSoeq6WlKmtNtvsOCMAdY+FR7P3 OPMXOom1vZDBcleRMiA0vXatpxiT8+kKEobvlASE6WLHxeMzn4Lf3TClOc//QUI9RDZA39P+j+t Iu7YMAwRioZg== X-Received: by 2002:a05:6602:4b15:b0:7de:e53e:5407 with SMTP id eo21-20020a0566024b1500b007dee53e5407mr315724iob.4.1714601758665; Wed, 01 May 2024 15:15:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFwTkSbFx8hXJ9ClPt6PzZvKadj2RdIqWjVn83w5h96iTgx2hJ6fWYuW+xTBZ1sXAXaf47EPA== X-Received: by 2002:a05:6602:4b15:b0:7de:e53e:5407 with SMTP id eo21-20020a0566024b1500b007dee53e5407mr315709iob.4.1714601758387; Wed, 01 May 2024 15:15:58 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id t37-20020a05663834a500b00487bbc5522fsm2024873jal.157.2024.05.01.15.15.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 15:15:58 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/F][PATCH 1/1] Bluetooth: hci_core: Fix possible buffer overflow Date: Wed, 1 May 2024 17:15:56 -0500 Message-Id: <20240501221556.24450-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240501221556.24450-1-bethany.jamison@canonical.com> References: <20240501221556.24450-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Luiz Augusto von Dentz [ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ] struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit a41c8efe659caed0e21422876bbb6b73c15b5244 linux-6.6.y) CVE-2024-26889 Signed-off-by: Bethany Jamison --- net/bluetooth/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 35aaed40bfed0..f46f1e7048a37 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -908,7 +908,7 @@ int hci_get_dev_info(void __user *arg) else flags = hdev->flags; - strcpy(di.name, hdev->name); + strscpy(di.name, hdev->name, sizeof(di.name)); di.bdaddr = hdev->bdaddr; di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4); di.flags = flags;