This is a note to let you know that I've just added the patch titled
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 18f547f3fc074500ab5d419cf482240324e73a7e Mon Sep 17 00:00:00 2001
From: Edward AD <twuufnxlz@xxxxxxxxx>
Date: Tue, 10 Oct 2023 13:36:57 +0800
Subject: Bluetooth: hci_sock: fix slab oob read in create_monitor_event
From: Edward AD <twuufnxlz@xxxxxxxxx>
commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream.
When accessing hdev->name, the actual string length should prevail
Reported-by: syzbot+c90849c50ed209d77689@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Edward AD <twuufnxlz@xxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -438,7 +438,7 @@ static struct sk_buff *create_monitor_ev
ni->type = hdev->dev_type;
ni->bus = hdev->bus;
bacpy(&ni->bdaddr, &hdev->bdaddr);
- memcpy(ni->name, hdev->name, 8);
+ memcpy(ni->name, hdev->name, strlen(hdev->name));
opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
break;
Patches currently in stable-queue which might be from twuufnxlz@xxxxxxxxx are
queue-5.10/bluetooth-hci_sock-correctly-bounds-check-and-pad-hci_mon_new_index-name.patch
queue-5.10/bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch
