From 6933bb77ea0c4e9dc648f95d3f35f94bc876d55f Mon Sep 17 00:00:00 2001 From: Hanjie Lin Date: Wed, 19 Dec 2018 17:17:51 +0800 Subject: [PATCH] RAVENPLAT-247:Kernel components bluetooth - CVE-2018-9363[1/1] PD#SWPL-15901 Problem: In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Solution: The fix is designed to make the length an unsigned integer and prevent the overflow condition. Platform: Raven Verify: Raven Change-Id: I2f7b2c5aea90120777177a4bdf238110e2ec22e2 Signed-off-by: Hanjie Lin --- net/bluetooth/hidp/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 1fc076420d1e..1811f8e7ddf4 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) del_timer(&session->timer); } -static void hidp_process_report(struct hidp_session *session, - int type, const u8 *data, int len, int intr) +static void hidp_process_report(struct hidp_session *session, int type, + const u8 *data, unsigned int len, int intr) { if (len > HID_MAX_BUFFER_SIZE) len = HID_MAX_BUFFER_SIZE;