diff options
| author | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:41:45 +0100 |
|---|---|---|
| committer | Adrian Stratulat <adrian.stratulat@enea.com> | 2019-10-30 12:43:37 +0100 |
| commit | 2c42279f9525e846bc2fc0f326f32b8f7d48c8ea (patch) | |
| tree | 6e15b4a97ae3e77fbb0c846e9028b939dc1c555d | |
| parent | e5a7bd1d7d58dcfed990079e8f7377a4df875454 (diff) | |
| download | enea-kernel-cache-2c42279f9525e846bc2fc0f326f32b8f7d48c8ea.tar.gz | |
input: CVE-2017-16643
Input: gtco - fix potential out-of-bound access
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16643
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a50829479f58416a013a4ccca791336af3c584c7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=52f65e35c2b85908fa66cfc265be4e3fd88744a3
Change-Id: I24cfded743d99eade9048ef89b6e9bbd3db0510e
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
| -rw-r--r-- | patches/cve/CVE-2017-16643.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-16643.patch b/patches/cve/CVE-2017-16643.patch new file mode 100644 index 0000000..2be1c82 --- /dev/null +++ b/patches/cve/CVE-2017-16643.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From 52f65e35c2b85908fa66cfc265be4e3fd88744a3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
| 3 | Date: Mon, 23 Oct 2017 16:46:00 -0700 | ||
| 4 | Subject: Input: gtco - fix potential out-of-bound access | ||
| 5 | |||
| 6 | commit a50829479f58416a013a4ccca791336af3c584c7 upstream. | ||
| 7 | |||
| 8 | parse_hid_report_descriptor() has a while (i < length) loop, which | ||
| 9 | only guarantees that there's at least 1 byte in the buffer, but the | ||
| 10 | loop body can read multiple bytes which causes out-of-bounds access. | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=52f65e35c2b85908fa66cfc265be4e3fd88744a3] | ||
| 13 | CVE: CVE-2017-16643 | ||
| 14 | |||
| 15 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
| 16 | Reviewed-by: Andrey Konovalov <andreyknvl@google.com> | ||
| 17 | Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> | ||
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 19 | Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com> | ||
| 20 | --- | ||
| 21 | drivers/input/tablet/gtco.c | 17 ++++++++++------- | ||
| 22 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c | ||
| 25 | index abf09ac42ce4..339a0e2d2f86 100644 | ||
| 26 | --- a/drivers/input/tablet/gtco.c | ||
| 27 | +++ b/drivers/input/tablet/gtco.c | ||
| 28 | @@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, | ||
| 29 | |||
| 30 | /* Walk this report and pull out the info we need */ | ||
| 31 | while (i < length) { | ||
| 32 | - prefix = report[i]; | ||
| 33 | - | ||
| 34 | - /* Skip over prefix */ | ||
| 35 | - i++; | ||
| 36 | + prefix = report[i++]; | ||
| 37 | |||
| 38 | /* Determine data size and save the data in the proper variable */ | ||
| 39 | - size = PREF_SIZE(prefix); | ||
| 40 | + size = (1U << PREF_SIZE(prefix)) >> 1; | ||
| 41 | + if (i + size > length) { | ||
| 42 | + dev_err(ddev, | ||
| 43 | + "Not enough data (need %d, have %d)\n", | ||
| 44 | + i + size, length); | ||
| 45 | + break; | ||
| 46 | + } | ||
| 47 | + | ||
| 48 | switch (size) { | ||
| 49 | case 1: | ||
| 50 | data = report[i]; | ||
| 51 | @@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, | ||
| 52 | case 2: | ||
| 53 | data16 = get_unaligned_le16(&report[i]); | ||
| 54 | break; | ||
| 55 | - case 3: | ||
| 56 | - size = 4; | ||
| 57 | + case 4: | ||
| 58 | data32 = get_unaligned_le32(&report[i]); | ||
| 59 | break; | ||
| 60 | } | ||
| 61 | -- | ||
| 62 | cgit 1.2-0.3.lf.el7 | ||
| 63 | |||