Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-07-26T07:12:50Z 2019-07-26T07:12:50Z Dan Carpenter dan.carpenter@oracle.com 2019-05-16T18:24:00Z urn:sha1:11f91596e0c385ae61ff2d1e2707e0d1a48c9d37 [ Upstream commit dcae9052ebb0c5b2614de620323d615fcbfda7f8 ] This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix buffer overflow") but for the compat ioctl. We take a string from the user and forgot to ensure that it's NUL terminated. I have also changed the strncpy() in to strscpy() in hidp_setup_hid(). The difference is the strncpy() doesn't necessarily NUL terminate the destination string. Either change would fix the problem but it's nice to take a belt and suspenders approach and do both. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-05-11T05:49:55Z Young Xiao YangX92@hotmail.com 2019-04-12T07:24:30Z urn:sha1:4d4cafccc6d3af718de78ab23f79feb44ec4d3d3 commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao <YangX92@hotmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-10-25T19:48:22Z Linus Torvalds torvalds@linux-foundation.org 2018-10-25T19:48:22Z urn:sha1:ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22 Pull compat_ioctl fixes from Al Viro: "A bunch of compat_ioctl fixes, mostly in bluetooth. Hopefully, most of fs/compat_ioctl.c will get killed off over the next few cycles; between this, tty series already merged and Arnd's work this cycle ought to take a good chunk out of the damn thing..." * 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: hidp: fix compat_ioctl hidp: constify hidp_connection_add() cmtp: fix compat_ioctl bnep: fix compat_ioctl compat_ioctl: trim the pointless includes 2018-09-27T09:59:58Z Andrea Parri andrea.parri@amarulasolutions.com 2018-08-14T18:41:06Z urn:sha1:5aac49378742a52bbe8af3d25bc51b487be7b17f The barriers are unneeded; wait_woken() and woken_wake_function() already provide us with the required synchronization: remove them and document that we're relying on the (implicit) synchronization provided by wait_woken() and woken_wake_function(). Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com> Reviewed-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2018-09-10T16:41:07Z Al Viro viro@zeniv.linux.org.uk 2018-08-17T01:55:55Z urn:sha1:702ec3072ae61cdf018725b353ff043e196548a6 1) no point putting it into fs/compat_ioctl.c when you handle it in your ->compat_ioctl() anyway. 2) HIDPCONNADD is *not* COMPATIBLE_IOCTL() stuff at all - it does layout massage (pointer-chasing there) 3) use compat_ptr() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2018-09-10T16:41:07Z Al Viro viro@zeniv.linux.org.uk 2018-08-17T01:44:35Z urn:sha1:535221481a8ed131e75c7f04c22298411b5abe32 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2018-08-01T07:12:35Z Mark Salyzyn salyzyn@android.com 2018-07-31T22:02:13Z urn:sha1:7992c18810e568b95c869b227137a2215702a805 CVE-2018-9363 The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. This affects 3.18 and newer kernels. Signed-off-by: Mark Salyzyn <salyzyn@android.com> Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Kees Cook <keescook@chromium.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: security@kernel.org Cc: kernel-team@android.com Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2018-07-30T12:09:54Z Marcel Holtmann marcel@holtmann.org 2018-07-30T11:57:41Z urn:sha1:b3cadaa485f0c20add1644a5c877b0765b285c0c This fixes two issues with setting hid->name information. CC net/bluetooth/hidp/core.o In function ‘hidp_setup_hid’, inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9, inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8, inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8: net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation] strncpy(hid->name, req->name, sizeof(req->name) - 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CC net/bluetooth/hidp/core.o net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’: net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess] strncpy(hid->name, req->name, sizeof(req->name)); ^ Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> 2018-05-26T07:16:44Z Christoph Hellwig hch@lst.de 2018-04-09T13:26:26Z urn:sha1:984652dd8b1f0998b9a181944ad5a00d06f9586f Now that sock_poll handles a NULL ->poll or ->poll_mask there is no need for a stub. Signed-off-by: Christoph Hellwig <hch@lst.de> 2018-01-31T15:23:58Z Jiri Kosina jkosina@suse.cz 2018-01-31T15:23:58Z urn:sha1:c86aa0129c07c8c7f54dc47656de99ab0eb809b3 Pull assorted small fixes queued for merge window.