A buffer overflow due to a singed-unsigned comparsion was found in hidp_process_report() in the net/bluetooth/hidp/core.c in the Linux kernel. The buffer length is an unsigned int but gets cast to a signed int which in certain conditions can lead to a system panic and a denial-of-service. Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4b1b5877b514b276f0f31efe02388a9c2836728 Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7992c18810e568b95c869b227137a2215702a805
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1623074]
This was fixed for Fedora with the 4.17.16 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043