diff options
author | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:41:45 +0100 |
---|---|---|
committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:43:37 +0100 |
commit | 2c42279f9525e846bc2fc0f326f32b8f7d48c8ea (patch) | |
tree | 6e15b4a97ae3e77fbb0c846e9028b939dc1c555d | |
parent | e5a7bd1d7d58dcfed990079e8f7377a4df875454 (diff) | |
download | enea-kernel-cache-2c42279f9525e846bc2fc0f326f32b8f7d48c8ea.tar.gz |
input: CVE-2017-16643
Input: gtco - fix potential out-of-bound access
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16643
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a50829479f58416a013a4ccca791336af3c584c7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=52f65e35c2b85908fa66cfc265be4e3fd88744a3
Change-Id: I24cfded743d99eade9048ef89b6e9bbd3db0510e
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
-rw-r--r-- | patches/cve/CVE-2017-16643.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16643.patch b/patches/cve/CVE-2017-16643.patch new file mode 100644 index 0000000..2be1c82 --- /dev/null +++ b/patches/cve/CVE-2017-16643.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 52f65e35c2b85908fa66cfc265be4e3fd88744a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
3 | Date: Mon, 23 Oct 2017 16:46:00 -0700 | ||
4 | Subject: Input: gtco - fix potential out-of-bound access | ||
5 | |||
6 | commit a50829479f58416a013a4ccca791336af3c584c7 upstream. | ||
7 | |||
8 | parse_hid_report_descriptor() has a while (i < length) loop, which | ||
9 | only guarantees that there's at least 1 byte in the buffer, but the | ||
10 | loop body can read multiple bytes which causes out-of-bounds access. | ||
11 | |||
12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=52f65e35c2b85908fa66cfc265be4e3fd88744a3] | ||
13 | CVE: CVE-2017-16643 | ||
14 | |||
15 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
16 | Reviewed-by: Andrey Konovalov <andreyknvl@google.com> | ||
17 | Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
19 | Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com> | ||
20 | --- | ||
21 | drivers/input/tablet/gtco.c | 17 ++++++++++------- | ||
22 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
23 | |||
24 | diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c | ||
25 | index abf09ac42ce4..339a0e2d2f86 100644 | ||
26 | --- a/drivers/input/tablet/gtco.c | ||
27 | +++ b/drivers/input/tablet/gtco.c | ||
28 | @@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, | ||
29 | |||
30 | /* Walk this report and pull out the info we need */ | ||
31 | while (i < length) { | ||
32 | - prefix = report[i]; | ||
33 | - | ||
34 | - /* Skip over prefix */ | ||
35 | - i++; | ||
36 | + prefix = report[i++]; | ||
37 | |||
38 | /* Determine data size and save the data in the proper variable */ | ||
39 | - size = PREF_SIZE(prefix); | ||
40 | + size = (1U << PREF_SIZE(prefix)) >> 1; | ||
41 | + if (i + size > length) { | ||
42 | + dev_err(ddev, | ||
43 | + "Not enough data (need %d, have %d)\n", | ||
44 | + i + size, length); | ||
45 | + break; | ||
46 | + } | ||
47 | + | ||
48 | switch (size) { | ||
49 | case 1: | ||
50 | data = report[i]; | ||
51 | @@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, | ||
52 | case 2: | ||
53 | data16 = get_unaligned_le16(&report[i]); | ||
54 | break; | ||
55 | - case 3: | ||
56 | - size = 4; | ||
57 | + case 4: | ||
58 | data32 = get_unaligned_le32(&report[i]); | ||
59 | break; | ||
60 | } | ||
61 | -- | ||
62 | cgit 1.2-0.3.lf.el7 | ||
63 | |||