On Wed, Aug 01, 2018 at 09:41:04AM -0700, Mark Salyzyn wrote: > On 08/01/2018 09:37 AM, Greg KH wrote: > > On Tue, Jul 31, 2018 at 03:02:13PM -0700, Mark Salyzyn wrote: > > > CVE-2018-9363 > > > > > > The buffer length is unsigned at all layers, but gets cast to int and > > > checked in hidp_process_report and can lead to a buffer overflow. > > > Switch len parameter to unsigned int to resolve issue. > > > > > > This affects 3.18 and newer kernels. > > > > > > Signed-off-by: Mark Salyzyn <salyzyn@xxxxxxxxxxx> > > > Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") > > > Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx> > > > Cc: Johan Hedberg <johan.hedberg@xxxxxxxxx> > > > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > > > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > > > Cc: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx> > > > Cc: linux-bluetooth@xxxxxxxxxxxxxxx > > > Cc: netdev@xxxxxxxxxxxxxxx > > > Cc: linux-kernel@xxxxxxxxxxxxxxx > > > Cc: security@xxxxxxxxxx > > > Cc: kernel-team@xxxxxxxxxxx > > Nit, you only need to bother security@ if you do not have a fix and need > > to figure out one. > > Thanks, I thought anything with a CVE was to go there according to netdev > FAQ (dropped security from response list). > > Also, you forgot to cc: stable@xxxxxxxxxxxxxxx to be included in older > > kernel releases :( > netdev FAQ said to _not_ copy stable, I am so confused ;-{ (added stable to > response list b/c patch is now taken into bluetooth-next) Ah, well, bluetooth is a bit not normal here, usually stuff that ends up in a subsystem tree before netdev needs to have a cc: stable on it for me to catch it. Hopefully the bluetooth maintainers are on it :) thanks, greg k-h