shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-24 19:40:21 +09:00
Code Issues Packages Projects Releases Wiki Activity

RAVENPLAT-247:Kernel components bluetooth - CVE-2018-9363[1/1]

Browse Source 
PD#SWPL-15901

Problem:
In the hidp_process_report in bluetooth, there is an integer overflow.
This could lead to an out of bounds write with no additional execution
privileges needed.  User interaction is not needed for exploitation.

Solution:
The fix is designed to make the length an unsigned integer and prevent
the overflow condition.

Platform:
Raven

Verify:
Raven

Change-Id: I2f7b2c5aea90120777177a4bdf238110e2ec22e2
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
This commit is contained in:
Hanjie Lin
2018-12-19 17:17:51 +08:00
committed by Chris
parent 3b8437f9c2
commit 6933bb77ea
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
net/bluetooth/hidp/core.c
View File

@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
del_timer(&session->timer);
}
static void hidp_process_report(struct hidp_session *session,
int type, const u8 *data, int len, int intr)
static void hidp_process_report(struct hidp_session *session, int type,
const u8 *data, unsigned int len, int intr)
{
if (len > HID_MAX_BUFFER_SIZE)
len = HID_MAX_BUFFER_SIZE;