Commit 6fa345d0 authored Jun 04, 2024 by Luiz Augusto von Dentz Committed by Guo Mengqi Jun 04, 2024

Bluetooth: hci_core: Fix possible buffer overflow

stable inclusion
from stable-v5.10.214
commit d47e6c1932cee02954ea588c9f09fd5ecefeadfc
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKEA
CVE: CVE-2024-26889

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d47e6c1932cee02954ea588c9f09fd5ecefeadfc



--------------------------------

[ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ]

struct hci_dev_info has a fixed size name[8] field so in the event that
hdev->name is bigger than that strcpy would attempt to write past its
size, so this fixes this problem by switching to use strscpy.

Fixes: dcda1657 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Zetao <lizetao1@huawei.com>

parent 83e8197d

net/bluetooth/hci_core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2175,7 +2175,7 @@ int hci_get_dev_info(void __user *arg)
		else
		flags = hdev->flags;

		strcpy(di.name, hdev->name);
		strscpy(di.name, hdev->name, sizeof(di.name));
		di.bdaddr = hdev->bdaddr;
		di.type = (hdev->bus & 0x0f) \| ((hdev->dev_type & 0x03) << 4);
		di.flags = flags;